b8e46378...a3d8 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 98/100
Dynamic Analysis Report
Classification: Trojan, Ransomware

b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8 (SHA256)

fivjf.exe

Windows Exe (x86-64)

Created at 2018-11-27 19:45:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x954 Analysis Target High (Elevated) fivjf.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe" -
#2 0x97c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F #1
#3 0x988 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F #1
#4 0x9a4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F #1
#5 0x9c4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F #1
#6 0x9d8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F #1
#7 0xa08 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F #1
#8 0xa28 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F #1
#9 0xa60 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F #1
#10 0xa80 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F #1
#12 0xaf8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F #1
#13 0xb10 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F #1
#14 0xb4c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F #1
#15 0xb64 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F #1
#16 0xbd0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F #1
#17 0xbec Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F #1
#18 0x6d8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F #1
#19 0x314 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F #1
#20 0x820 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F #1
#21 0x6c8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F #1
#22 0x7cc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F #1
#23 0x3b8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F #1
#25 0x900 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F #1
#26 0x8c0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F #1
#27 0x8bc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F #1
#28 0x920 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F #1
#29 0x944 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F #1
#30 0xa9c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F #1
#31 0xbc4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F #1
#32 0x3c8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F #1
#33 0x950 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F #1
#34 0xc1c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F #1
#35 0xc38 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F #1
#36 0xc84 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F #1
#37 0xca0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F #1
#38 0xccc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F #1
#39 0xcec Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F #1
#40 0xd28 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F #1
#41 0xd48 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F #1
#42 0xdb4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F #1
#43 0xde8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F #1
#44 0xe3c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F #1
#45 0xe58 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F #1
#46 0xeb8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F #1
#47 0xee0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F #1
#48 0xf1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y #1
#49 0xf38 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y #1
#50 0xf5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y #1
#51 0xfac Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y #1
#52 0xfc8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y #1
#53 0xfd4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y #48
#54 0xfdc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y #49
#55 0xff4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y #50
#56 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y #1
#57 0xc8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y #1
#58 0xd00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y #51
#59 0xd30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y #52
#60 0xde4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y #1
#61 0xe60 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y #1
#62 0xedc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y #57
#63 0xf50 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y #1
#64 0xff8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y #1
#65 0xfdc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y #1
#66 0xf60 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y #56
#67 0xf94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y #60
#68 0xcf4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y #61
#69 0xca8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y #1
#70 0xffc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y #1
#71 0xc4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y #63
#72 0xd30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y #64
#73 0xe54 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y #1
#74 0xcb8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y #1
#75 0xf20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y #65
#76 0xc40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y #69
#77 0xf38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y #73
#78 0xfac Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y #1
#79 0xc24 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y #70
#80 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y #1
#81 0xe60 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y #1
#82 0x1010 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y #78
#83 0x101c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y #1
#84 0x1068 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Antivirus /y #1
#85 0x1074 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y #83
#86 0x107c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y #80
#87 0x10b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ARSM /y #1
#88 0x10c0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y #74
#89 0x10d4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcronisAgent /y #81
#90 0x10dc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Antivirus /y #84
#91 0x10ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y #1
#92 0x1108 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y #1
#93 0x111c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y #1
#94 0x1140 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y #92
#95 0x1148 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y #1
#96 0x1158 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ARSM /y #87
#97 0x1160 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y #91
#98 0x1170 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y #1
#99 0x119c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y #1
#100 0x11a8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y #93
#101 0x11b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y #1
#102 0x11d0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop bedbg /y #1
#103 0x1200 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop DCAgent /y #1
#104 0x1220 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y #99
#105 0x1234 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y #95
#106 0x123c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y #1
#107 0x1248 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y #101
#108 0x1250 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y #98
#109 0x1258 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop bedbg /y #102
#110 0x126c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y #1
#111 0x1278 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop DCAgent /y #103
#112 0x1290 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y #1
#113 0x12a0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPSecurityService /y #106
#114 0x12b0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y #1
#115 0x12d0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y #1
#116 0x1374 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y #112
#117 0x1380 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y #1
#118 0xf20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IISAdmin /y #117
#119 0xf38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y #115
#120 0xee8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPUpdateService /y #110
#121 0xff4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EsgShKernel /y #114
#122 0xec0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y #1
#123 0xfdc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y #1
#124 0x1010 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop masvc /y #1
#125 0xca8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y #122
#126 0xfac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop macmnsvc /y #123
#127 0x1078 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBAMService /y #1
#128 0xce8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y #1
#129 0xdf0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y #1
#130 0x10e8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y #1
#131 0x10d8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop masvc /y #124
#132 0x10b0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBAMService /y #127
#133 0xe60 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y #128
#134 0x1114 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y #1
#135 0x106c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McShield /y #1
#136 0x112c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y #1
#137 0xd70 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfemms /y #1
#138 0x1110 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y #130
#139 0x1158 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y #129
#140 0x10bc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McTaskManager /y #136
#141 0x10b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfevtp /y #1
#142 0x11b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MMS /y #1
#143 0x1138 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y #134
#144 0x11d8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McShield /y #135
#145 0x1214 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y #1
#146 0x1224 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfemms /y #137
#147 0x1220 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfevtp /y #141
#148 0x1218 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y #1
#149 0x1284 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y #1
#150 0x1228 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MMS /y #142
#151 0x12c4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y #1
#152 0x9e4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y #1
#153 0x11d0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y #1
#154 0x127c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer /y #148
#155 0x988 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mozyprobackup /y #145
#156 0x99c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y #151
#157 0xa70 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y #1
#158 0x12ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y #1
#159 0x12f0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y #149
#160 0x12f8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSA /y #1
#161 0x1278 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeES /y #152
#162 0x130c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y #153
#163 0x420 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSRS /y #1
#164 0xba0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y #160
#165 0x1318 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y #157
#166 0xa24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y #1
#167 0x80c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y #1
#168 0x324 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y #158
#169 0x9f4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y #1
#170 0x9a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y #1
#171 0x121c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y #1
#172 0xb40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y #163
#173 0x8c4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y #166
#174 0xa5c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y #167
#175 0x9c0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y #1
#176 0x538 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y #1
#177 0x8dc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y #170
#178 0x828 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y #1
#179 0xb78 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y #171
#180 0xb34 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y #1
#181 0xb58 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y #169
#182 0x51c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y #1
#183 0xc4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y #1
#184 0xbf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y #178
#185 0x1200 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y #1
#186 0x1340 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y #176
#187 0x1e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y #175
#188 0x510 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y #180
#189 0x1348 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y #182
#190 0x1350 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y #1
#191 0xc58 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPS /y #1
#192 0xa88 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y #185
#193 0x8f8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y #183
#194 0xa8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y #1
#195 0x418 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#196 0xb3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y #190
#197 0x49c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y #191
#198 0x1368 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y #1
#199 0x90c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y #1
#200 0x9ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y #1
#201 0x91c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y #194
#202 0x137c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #195
#203 0xd08 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y #1
#204 0x8ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y #1
#205 0xc14 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y #198
#206 0xc68 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y #1
#207 0x81c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher /y #199
#208 0xc80 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y #203
#209 0x584 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y #200
#210 0xc10 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y #1
#211 0x924 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y #1
#212 0x950 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y #1
#213 0x9a0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y #206
#214 0xb18 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y #204
#215 0x824 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLSERVER /y #1
#216 0x228 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y #1
#217 0xaf8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y #1
#218 0xa80 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y #212
#219 0xad4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y #210
#220 0x7cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y #211
#221 0x7e8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL80 /y #1
#222 0xb70 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL57 /y #1
#223 0xbec Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y #215
#224 0x92c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y #217
#225 0xcac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y #216
#226 0xd04 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ntrtscan /y #1
#227 0x13c0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop OracleClientCache80 /y #1
#228 0xe14 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop PDVFSService /y #1
#229 0xea4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL80 /y #221
#230 0xeb0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop POP3Svc /y #1
#231 0xc88 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer /y #1
#232 0xca4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL57 /y #222
#233 0xdac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ntrtscan /y #226
#234 0xcf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y #227
#235 0xe80 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop PDVFSService /y #228
#236 0xe84 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y #1
#237 0xd20 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y #1
#238 0x1290 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPS /y #1
#239 0x1264 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y #1
#240 0x11b8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer /y #231
#241 0xcf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop POP3Svc /y #230
#242 0xcb4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y #238
#243 0xc98 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop RESvc /y #1
#244 0xd40 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sacsvr /y #1
#245 0xe68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y #236
#246 0xde0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y #237
#247 0xc40 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SamSs /y #1
#248 0x12b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVAdminService /y #1
#249 0xe54 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVService /y #1
#250 0xf30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SamSs /y #247
#251 0xfbc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SDRSVC /y #1
#252 0xf8c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y #239
#253 0xf04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sacsvr /y #244
#254 0xe40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVAdminService /y #248
#255 0xe3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop RESvc /y #243
#256 0xe50 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SepMasterService /y #1
#257 0xf84 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ShMonitor /y #1
#258 0xfa0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Smcinst /y #1
#259 0x1030 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVService /y #249
#260 0xea8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SDRSVC /y #251
#261 0xef4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SmcService /y #1
#262 0xe5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SMTPSvc /y #1
#263 0x126c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SepMasterService /y #256
#264 0x12cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ShMonitor /y #257
#265 0xfe8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Smcinst /y #258
#266 0xe74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SNAC /y #1
#267 0xfcc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SntpService /y #1
#268 0xf24 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sophossps /y #1
#269 0xc9c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y #1
#270 0x10c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y #1
#271 0xfec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y #1
#272 0xfb0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y #1
#273 0x1074 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y #1
#274 0x101c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y #1
#275 0x1158 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y #1
#276 0x10bc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y #271
#277 0x113c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y #272
#278 0xdf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y #273
#279 0x1024 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y #1
#280 0x10d4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y #1
#281 0x112c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y #274
#282 0x1138 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y #275
#283 0x1140 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y #1
#284 0x1084 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y #1
#285 0x1274 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y #279
#286 0x1220 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y #280
#287 0x1224 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#288 0xd6c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y #1
#289 0x11e8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y #283
#290 0x1174 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y #284
#291 0x9b8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLBrowser /y #1
#292 0x12a4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y #1
#293 0x8b0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y #1
#294 0xba8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLBrowser /y #291
#295 0x1320 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #287
#296 0xba4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y #288
#297 0x12a0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y #1
#298 0xba0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSafeOLRService /y #292
#299 0x1278 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SMTPSvc /y #262
#300 0x11d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sophossps /y #268
#301 0x908 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SmcService /y #261
#302 0x9e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SNAC /y #266
#303 0x1324 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y #269
#304 0x4e4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y #1
#305 0xa50 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLWriter /y #1
#306 0x96c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y #270
#307 0x9b0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSERVERAGENT /y #293
#308 0x420 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SstpSvc /y #1
#309 0xb98 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SntpService /y #267
#310 0x80c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop svcGenericHost /y #1
#311 0x330 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_filter /y #1
#312 0x578 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_service /y #1
#313 0x1204 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SstpSvc /y #308
#314 0xa64 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y #304
#315 0xb58 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y #297
#316 0x1288 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update_64 /y #1
#317 0xa18 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TmCCSF /y #1
#318 0x8c8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop svcGenericHost /y #310
#319 0xd84 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLWriter /y #305
#320 0x918 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_service /y #312
#321 0x1344 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop tmlisten /y #1
#322 0x1e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKey /y #1
#323 0x828 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_filter /y #311
#324 0x7e4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y #1
#325 0x24c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update_64 /y #316
#326 0x528 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y #1
#327 0x5e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TmCCSF /y #317
#328 0x360 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop tmlisten /y #321
#329 0x9dc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop UI0Detect /y #1
#330 0xc6c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y #1
#331 0xc94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyScheduler /y #324
#332 0xb50 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y #326
#333 0xc0c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y #1
#334 0xc4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop UI0Detect /y #329
#335 0x9b4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y #330
#336 0xc5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y #1
#337 0xb04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKey /y #322
#338 0x1354 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y #1
#339 0x137c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y #1
#340 0xa8c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y #333
#341 0x938 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y #1
#342 0xc14 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y #1
#343 0xd0c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamMountSvc /y #1
#344 0x32c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y #339
#345 0x1040 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y #336
#346 0xc1c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y #338
#347 0x81c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y #1
#348 0xcd8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y #343
#349 0x3c8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y #342
#350 0x8bc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y #341
#351 0x994 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y #1
#352 0x920 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y #1
#353 0x9a0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop W3Svc /y #1
#354 0xbd8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#355 0x7e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y #347
#356 0xbd0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop WRSVC /y #1
#357 0x990 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#358 0xbf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y #351
#359 0xa3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y #352
#360 0xad4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop W3Svc /y #353
#361 0xb4c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#362 0x708 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop WRSVC /y #356
#363 0xcc8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #354
#364 0xbf4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y #1
#365 0xbec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update /y #1
#366 0xa78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y #1
#367 0x13f4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y #1
#368 0x13fc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQL Backups" /y #1
#369 0x474 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update /y #365
#370 0x7d8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #361
#371 0x310 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #357
#372 0xe00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y #364
#373 0xd68 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROD /y #1
#374 0x810 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y #366
#375 0xb28 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y #1
#376 0xb70 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQL Backups" /y #368
#377 0xda0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y #1
#378 0xd9c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y #367
#379 0xd04 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y #1
#380 0x1180 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y #373
#381 0xea0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop msftesql$PROD /y #1
#382 0xcf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y #377
#383 0xd38 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop NetMsmqActivator /y #1
#384 0xeb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Zoolz 2 Service" /y #375
#385 0xdb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EhttpSrv /y #1
#386 0x1148 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y #379
#387 0x1360 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y #381
#388 0x6b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ekrn /y #1
#389 0x1390 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ESHASRV /y #1
#390 0xf5c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y #1
#391 0xcf4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y #1
#392 0x1258 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AVP /y #1
#393 0xd20 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop klnagent /y #1
#394 0x288 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y #1
#395 0xf34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y #390
#396 0x1270 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y #391
#397 0xe7c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AVP /y #392
#398 0xd28 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y #1
#399 0xedc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop klnagent /y #393
#400 0x12b4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y #394
#401 0x12b0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#402 0xd60 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ESHASRV /y #389
#403 0xf38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ekrn /y #388
#404 0xf10 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop kavfsslp /y #1
#405 0xde8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EhttpSrv /y #385
#406 0xf08 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y #383
#407 0x1030 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y #398
#408 0xec0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFSGT /y #1
#409 0xee0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFS /y #1
#410 0x126c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfefire /y #1
#411 0xf58 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe" /f #1
#412 0xce8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop kavfsslp /y #404
#413 0xfbc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #401
#414 0x12d4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFSGT /y #408
#415 0x448 Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #1
#416 0x10e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfefire /y #410
#417 0x4a4 Injection Medium taskhost.exe "taskhost.exe" #1
#418 0x1160 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFS /y #409
#419 0xfa0 Child Process High (Elevated) reg.exe REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe" /f #411
#420 0x59c Injection High (Elevated) taskeng.exe taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1

Behavior Information - Grouped by Category

Process #1: fivjf.exe
517 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:56, Reason: Analysis Target
Unmonitor End Time: 00:02:21, Reason: Self Terminated
Monitor Duration 00:01:25
OS Process Information
»
Information Value
PID 0x954
Parent PID 0x458 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 958
0x 96C
0x 970
0x 974
0x 978
0x 984
0x 990
0x 9AC
0x 9CC
0x 9E0
0x A10
0x A30
0x A68
0x A88
0x B00
0x B18
0x B54
0x BC4
0x BD8
0x BF4
0x 570
0x 1E0
0x 510
0x 6F8
0x 7F0
0x 628
0x 8EC
0x 930
0x 950
0x 910
0x 934
0x B0C
0x BE8
0x 628
0x 940
0x C24
0x C40
0x C8C
0x CA8
0x CD4
0x CF4
0x D30
0x D50
0x DBC
0x DF0
0x E44
0x E60
0x EC0
0x EE8
0x F24
0x F40
0x F64
0x FB4
0x FD0
0x 940
0x CA8
0x DFC
0x EC0
0x F64
0x FD4
0x F1C
0x DFC
0x FAC
0x EF8
0x 940
0x 934
0x FC0
0x EE8
0x 1028
0x 1070
0x 10D0
0x 10F4
0x 1118
0x 1130
0x 1150
0x 1178
0x 11A4
0x 11C0
0x 11D8
0x 1208
0x 1244
0x 1274
0x 1298
0x 12B8
0x 12D8
0x 13DC
0x F5C
0x FE8
0x F58
0x 1088
0x 105C
0x 1070
0x FD4
0x 1118
0x 10B4
0x 1144
0x 1124
0x 10E4
0x 1120
0x 1244
0x 124C
0x 1298
0x AA0
0x 1174
0x 12B8
0x 12E4
0x AB4
0x 7F8
0x BA8
0x 1320
0x 132C
0x 1308
0x 1240
0x 9B0
0x 9F8
0x 2B4
0x 78C
0x A64
0x AAC
0x 8C8
0x 1210
0x C60
0x C6C
0x 61C
0x B30
0x D10
0x A34
0x 8C0
0x B2C
0x 938
0x C64
0x A9C
0x A7C
0x 8CC
0x 774
0x BD0
0x B08
0x A38
0x B4C
0x 11E0
0x D94
0x E1C
0x 13FC
0x D88
0x DB8
0x DA0
0x 12A8
0x 11E4
0x CCC
0x DB4
0x CF4
0x FF4
0x F2C
0x F88
0x DFC
0x 12D0
0x F10
0x DE8
0x E58
0x 1088
0x FFC
0x EC0
0x 1070
0x FD4
0x 1010
0x 1080
0x 10CC
0x CE8
0x D58
0x 10E8
0x 10F8
0x 106C
0x 10A0
0x 1108
0x A1C
0x B8C
0x 1208
0x 13D0
0x 12F4
0x A74
0x A0C
0x A48
0x 928
0x ABC
0x 688
0x AD8
0x AAC
0x 1210
0x B38
0x 1098
0x B14
0x 780
0x 570
0x B90
0x AA8
0x D14
0x CB0
0x 55C
0x 910
0x 1368
0x 9C4
0x 108C
0x C80
0x 8CC
0x BC4
0x B24
0x 950
0x C30
0x 804
0x 6D8
0x D94
0x AF8
0x 114
0x E10
0x C74
0x D90
0x C78
0x 12A8
0x CA0
0x 11B8
0x D2C
0x E4C
0x E68
0x E98
0x AE4
0x DC4
0x 6DC
0x F7C
0x F80
0x 7C0
0x FD4
0x 1014
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f8fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x00201fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b40000 0x01e0efff Memory Mapped File r False False False -
pagefile_0x0000000001e10000 0x01e10000 0x01e10fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x01e20000 0x01e20fff Memory Mapped File r False False False -
pagefile_0x0000000001e20000 0x01e20000 0x01e28fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001e30000 0x01e30000 0x01e31fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001e40000 0x01e40000 0x01e46fff Pagefile Backed Memory r True False False -
private_0x0000000001e50000 0x01e50000 0x01f4ffff Private Memory rw True False False -
pagefile_0x0000000001e50000 0x01e50000 0x01e50fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x01e60000 0x01e63fff Memory Mapped File r True False False -
pagefile_0x0000000001f50000 0x01f50000 0x0202efff Pagefile Backed Memory r True False False -
pagefile_0x0000000002030000 0x02030000 0x02031fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x02040000 0x02043fff Memory Mapped File r True False False -
pagefile_0x0000000002050000 0x02050000 0x02050fff Pagefile Backed Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x020e0000 0x020fefff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x02100000 0x0212ffff Memory Mapped File r True False False -
cversions.2.db 0x02130000 0x02133fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02140000 0x021a5fff Memory Mapped File r True False False -
pagefile_0x00000000021b0000 0x021b0000 0x021b0fff Pagefile Backed Memory rw True False False -
private_0x0000000002260000 0x02260000 0x0235ffff Private Memory rw True False False -
pagefile_0x0000000002360000 0x02360000 0x02752fff Pagefile Backed Memory r True False False -
private_0x0000000002820000 0x02820000 0x0291ffff Private Memory rw True False False -
private_0x0000000002940000 0x02940000 0x02a3ffff Private Memory rw True False False -
private_0x00000000029a0000 0x029a0000 0x02a9ffff Private Memory rw True False False -
private_0x0000000002ac0000 0x02ac0000 0x02bbffff Private Memory rw True False False -
private_0x0000000002c90000 0x02c90000 0x02d8ffff Private Memory rw True False False -
private_0x0000000002cb0000 0x02cb0000 0x02daffff Private Memory rw True False False -
private_0x0000000002e90000 0x02e90000 0x02f8ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
fivjf.exe 0x13f0e0000 0x13f113fff Memory Mapped File rwx True True False
...
oleacc.dll 0x7fef5230000 0x7fef5283fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef5290000 0x7fef5e46fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fef8f10000 0x7fef8f12fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa4d0000 0x7fefa526fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefb520000 0x7fefb54cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefbf70000 0x7fefc09bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc0f0000 0x7fefc2e3fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefd670000 0x7fefd6a5fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd900000 0x7fefd919fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
urlmon.dll 0x7fefd990000 0x7fefdb07fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7fefe1b0000 0x7fefe201fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff0f0000 0x7feff2c6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
wininet.dll 0x7feff360000 0x7feff489fff Memory Mapped File rwx False False False -
iertutil.dll 0x7feff4e0000 0x7feff738fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Delete - - False 1
Fn
Process (320)
»
Operation Process Additional Information Success Count Logfile
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create C:\Windows\System32\cmd.exe show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\bones plans mice.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\sullivan_estimated_korea.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\msbuild\like.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\uninstall information\carbcreated.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla maintenance service\frame.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\help_todd_ferrari.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\receiversolstunning.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\guru-utc-truly.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sql server compact edition\knows.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows mail\gathering laptop polished.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows portable devices\diary-oh.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft synchronization services\ranking_attributes_composed.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows nt\wantedmarkerbag.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\ways_rice.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\google\battery-prostate-packard.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\threateningscriptingleu.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sync framework\causing-weights.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows media player\positioning-vacancies.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows portable devices\describing_putting.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\cmd.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\bones plans mice.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\sullivan_estimated_korea.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\msbuild\like.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\uninstall information\carbcreated.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla maintenance service\frame.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft.net\help_todd_ferrari.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\receiversolstunning.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\guru-utc-truly.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sql server compact edition\knows.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows mail\gathering laptop polished.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows portable devices\diary-oh.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft synchronization services\ranking_attributes_composed.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows nt\wantedmarkerbag.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\ways_rice.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\google\battery-prostate-packard.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows portable devices\threateningscriptingleu.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sync framework\causing-weights.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows media player\positioning-vacancies.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows portable devices\describing_putting.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\cmd.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\dwm.exe proc_address = 0x13f0e1a30, proc_parameter = 5352849408, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskhost.exe proc_address = 0x13f0e1a30, proc_parameter = 5352849408, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskeng.exe proc_address = 0x13f0e1a30, proc_parameter = 5352849408, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (26)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\dwm.exe address = 0x13f0e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 True 1
Fn
Allocate c:\windows\system32\taskhost.exe address = 0x13f0e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 True 1
Fn
Allocate c:\windows\system32\taskeng.exe address = 0x13f0e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 True 1
Fn
Allocate c:\program files (x86)\microsoft.net\bones plans mice.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\common files\sullivan_estimated_korea.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\msbuild\like.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\uninstall information\carbcreated.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\mozilla maintenance service\frame.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\microsoft.net\help_todd_ferrari.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\microsoft visual studio 8\receiversolstunning.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\windows defender\guru-utc-truly.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\microsoft sql server compact edition\knows.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\windows\system32\conhost.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\windows mail\gathering laptop polished.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\windows portable devices\diary-oh.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\microsoft synchronization services\ranking_attributes_composed.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\windows nt\wantedmarkerbag.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\mozilla firefox\ways_rice.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\google\battery-prostate-packard.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\windows portable devices\threateningscriptingleu.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\microsoft sync framework\causing-weights.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files\windows media player\positioning-vacancies.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Allocate c:\program files (x86)\windows portable devices\describing_putting.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 212992 False 1
Fn
Write c:\windows\system32\dwm.exe address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Write c:\windows\system32\taskhost.exe address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Write c:\windows\system32\taskeng.exe address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Module (63)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef8f10000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x77550000 True 2
Fn
Load advapi32 base_address = 0x0 False 1
Fn
Load advapi32 base_address = 0x7feff740000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe base_address = 0x13f0e0000 True 25
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe, size = 260 True 3
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe, size = 320 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77567190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x7756bd90 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x776acac0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77573520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7759b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x775591d0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (39)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 300 milliseconds (0.300 seconds) True 33
Fn
Get Time type = System Time, time = 2018-11-27 19:46:15 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: taskkill.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 980
0x A14
0x A4C
0x A90
0x A94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00290000 0x0034ffff Memory Mapped File rw False False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
sortdefault.nls 0x01e50000 0x0211efff Memory Mapped File r False False False -
private_0x0000000002140000 0x02140000 0x021bffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #3: taskkill.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x988
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 98C
0x A1C
0x A54
0x AA0
0x AA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #4: taskkill.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A8
0x A18
0x A50
0x A70
0x A74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
locale.nls 0x00290000 0x002f6fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c20000 0x01cdffff Memory Mapped File rw False False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01fdffff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x020affff Private Memory rw True False False -
sortdefault.nls 0x020b0000 0x0237efff Memory Mapped File r False False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #5: taskkill.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
0x A48
0x A5C
0x AB0
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00290000 0x0034ffff Memory Mapped File rw False False False -
pagefile_0x0000000000350000 0x00350000 0x00350fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
private_0x0000000000390000 0x00390000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory r True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory rw True False False -
sortdefault.nls 0x01f60000 0x0222efff Memory Mapped File r False False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #6: taskkill.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9DC
0x A58
0x AAC
0x AB8
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00320000 0x003dffff Memory Mapped File rw False False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory r True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
private_0x0000000001c70000 0x01c70000 0x01ceffff Private Memory rw True False False -
rsaenh.dll 0x01cf0000 0x01d34fff Memory Mapped File r False False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File r False False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #7: taskkill.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A0C
0x AD8
0x B40
0x B88
0x B8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
pagefile_0x00000000003f0000 0x003f0000 0x00577fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000580000 0x00580000 0x00700fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000710000 0x00710000 0x01b0ffff Pagefile Backed Memory r True False False -
private_0x0000000001b40000 0x01b40000 0x01bbffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bc0000 0x01c7ffff Memory Mapped File rw False False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x01fcffff Private Memory rw True False False -
sortdefault.nls 0x01fd0000 0x0229efff Memory Mapped File r False False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x024cffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #8: taskkill.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa28
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A2C
0x B1C
0x B58
0x B94
0x B98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
pagefile_0x00000000003f0000 0x003f0000 0x00577fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000580000 0x00580000 0x00700fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000710000 0x00710000 0x01b0ffff Pagefile Backed Memory r True False False -
private_0x0000000001b70000 0x01b70000 0x01beffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bf0000 0x01caffff Memory Mapped File rw False False False -
private_0x0000000001cf0000 0x01cf0000 0x01d6ffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x0000000002290000 0x02290000 0x0230ffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #9: taskkill.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa60
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A64
0x B34
0x B74
0x BA0
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b40000 0x01bfffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
sortdefault.nls 0x01e70000 0x0213efff Memory Mapped File r False False False -
private_0x0000000002280000 0x02280000 0x022fffff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x0000000002470000 0x02470000 0x024effff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #10: taskkill.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:10, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa80
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
0x B38
0x B78
0x BA8
0x BAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001c00000 0x01c00000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
sortdefault.nls 0x01f20000 0x021eefff Memory Mapped File r False False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x0000000002410000 0x02410000 0x0248ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #12: taskkill.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AFC
0x BDC
0x 528
0x 7B4
0x 420
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
kernelbase.dll.mui 0x00190000 0x0024ffff Memory Mapped File rw False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x00450fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000460000 0x00460000 0x00460fff Pagefile Backed Memory r True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01f2ffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
sortdefault.nls 0x02050000 0x0231efff Memory Mapped File r False False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #13: taskkill.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb10
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B14
0x BE0
0x 540
0x 404
0x 548
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory rw True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c10000 0x01ccffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
sortdefault.nls 0x01e80000 0x0214efff Memory Mapped File r False False False -
private_0x00000000021f0000 0x021f0000 0x0226ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #14: taskkill.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B50
0x BFC
0x C4
0x 80C
0x 544
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory r True False False -
private_0x00000000006b0000 0x006b0000 0x006bffff Private Memory rw True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c50000 0x01d0ffff Memory Mapped File rw False False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #15: taskkill.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb64
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B68
0x 688
0x 5E0
0x 77C
0x 7F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
rsaenh.dll 0x01bc0000 0x01c04fff Memory Mapped File r False False False -
private_0x0000000001c20000 0x01c20000 0x01c9ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #16: taskkill.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD4
0x 764
0x 78C
0x 250
0x 4E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003bffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c10000 0x01ccffff Memory Mapped File rw False False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01fdffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
sortdefault.nls 0x020e0000 0x023aefff Memory Mapped File r False False False -
private_0x0000000002490000 0x02490000 0x0250ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #17: taskkill.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF0
0x 780
0x 360
0x 274
0x 324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00230000 0x002effff Memory Mapped File rw False False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x006f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x00880fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory r True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x0000000002360000 0x02360000 0x023dffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #18: taskkill.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6d8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 638
0x 24C
0x 2B4
0x B0
0x 8B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
private_0x0000000001b90000 0x01b90000 0x01c0ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c10000 0x01ccffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x020affff Private Memory rw True False False -
sortdefault.nls 0x020b0000 0x0237efff Memory Mapped File r False False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #19: taskkill.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x314
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 538
0x 7E4
0x 578
0x 8F4
0x 908
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007c0000 0x007c0000 0x01bbffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bc0000 0x01c7ffff Memory Mapped File rw False False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #20: taskkill.exe
0 0
»
Information Value
ID #20
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x820
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 828
0x 8DC
0x 330
0x 95C
0x 960
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b90000 0x01c4ffff Memory Mapped File rw False False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
sortdefault.nls 0x01da0000 0x0206efff Memory Mapped File r False False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #21: taskkill.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6c8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2AC
0x 8C8
0x 8B4
0x 7F4
0x 928
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000530000 0x00530000 0x006b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x01abffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ac0000 0x01b7ffff Memory Mapped File rw False False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
sortdefault.nls 0x01f80000 0x0224efff Memory Mapped File r False False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x00000000023e0000 0x023e0000 0x0245ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #22: taskkill.exe
0 0
»
Information Value
ID #22
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7cc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 51C
0x 94C
0x 998
0x A24
0x A30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
kernelbase.dll.mui 0x001d0000 0x0028ffff Memory Mapped File rw False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
sortdefault.nls 0x01e90000 0x0215efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #23: taskkill.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3b8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 82C
0x 918
0x 9B4
0x 9D4
0x 9F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
private_0x0000000001b40000 0x01b40000 0x01bbffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bc0000 0x01c7ffff Memory Mapped File rw False False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
sortdefault.nls 0x01dc0000 0x0208efff Memory Mapped File r False False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #25: taskkill.exe
0 0
»
Information Value
ID #25
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x900
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F8
0x A88
0x 570
0x 590
0x 1E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00190000 0x0024ffff Memory Mapped File rw False False False -
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
sortdefault.nls 0x02050000 0x0231efff Memory Mapped File r False False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #26: taskkill.exe
0 0
»
Information Value
ID #26
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:13, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8C4
0x 96C
0x 9CC
0x 9E0
0x A10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b20000 0x01bdffff Memory Mapped File rw False False False -
private_0x0000000001c00000 0x01c00000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
sortdefault.nls 0x01e20000 0x020eefff Memory Mapped File r False False False -
private_0x0000000002200000 0x02200000 0x0227ffff Private Memory rw True False False -
private_0x0000000002290000 0x02290000 0x0230ffff Private Memory rw True False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #27: taskkill.exe
0 0
»
Information Value
ID #27
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8bc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B8
0x B2C
0x 3D8
0x 510
0x 6E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00360000 0x00363fff Memory Mapped File rw False False False -
private_0x0000000000370000 0x00370000 0x00370fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000530000 0x00530000 0x006b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x01abffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ac0000 0x01b7ffff Memory Mapped File rw False False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001bf0000 0x01bf0000 0x01c6ffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
sortdefault.nls 0x01eb0000 0x0217efff Memory Mapped File r False False False -
private_0x0000000002290000 0x02290000 0x0230ffff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #28: taskkill.exe
0 0
»
Information Value
ID #28
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x920
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 914
0x 7F0
0x B0C
0x BE8
0x 628
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
kernelbase.dll.mui 0x00190000 0x0024ffff Memory Mapped File rw False False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory rw True False False -
sortdefault.nls 0x01f60000 0x0222efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #29: taskkill.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x944
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 938
0x 8EC
0x B84
0x C08
0x C0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00360000 0x00363fff Memory Mapped File rw False False False -
private_0x0000000000370000 0x00370000 0x00370fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
sortdefault.nls 0x01e10000 0x020defff Memory Mapped File r False False False -
private_0x0000000002150000 0x02150000 0x021cffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
private_0x00000000022c0000 0x022c0000 0x0233ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #30: taskkill.exe
0 0
»
Information Value
ID #30
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa9c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B00
0x C14
0x C50
0x C5C
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b60000 0x01c1ffff Memory Mapped File rw False False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
sortdefault.nls 0x01fa0000 0x0226efff Memory Mapped File r False False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
private_0x00000000024c0000 0x024c0000 0x0253ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #31: taskkill.exe
0 0
»
Information Value
ID #31
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD8
0x 808
0x C2C
0x C54
0x C58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
private_0x0000000001b90000 0x01b90000 0x01c0ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c10000 0x01ccffff Memory Mapped File rw False False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
sortdefault.nls 0x01f80000 0x0224efff Memory Mapped File r False False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
private_0x00000000024c0000 0x024c0000 0x0253ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #32: taskkill.exe
0 0
»
Information Value
ID #32
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3c8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E0
0x C44
0x C68
0x C6C
0x C70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00210000 0x002cffff Memory Mapped File rw False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory r True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
private_0x0000000001f80000 0x01f80000 0x01ffffff Private Memory rw True False False -
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File r False False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #33: taskkill.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x950
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 910
0x C64
0x C7C
0x C90
0x C94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b20000 0x01bdffff Memory Mapped File rw False False False -
private_0x0000000001be0000 0x01be0000 0x01c5ffff Private Memory rw True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
sortdefault.nls 0x020e0000 0x023aefff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #34: taskkill.exe
0 0
»
Information Value
ID #34
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C20
0x CD8
0x D08
0x D14
0x D18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b70000 0x01c2ffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
sortdefault.nls 0x01e80000 0x0214efff Memory Mapped File r False False False -
private_0x00000000021e0000 0x021e0000 0x0225ffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #35: taskkill.exe
0 0
»
Information Value
ID #35
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C3C
0x CC8
0x D04
0x D0C
0x D10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00410fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory r True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
sortdefault.nls 0x01fa0000 0x0226efff Memory Mapped File r False False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #36: taskkill.exe
0 0
»
Information Value
ID #36
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc84
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C88
0x D24
0x D68
0x D90
0x D94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b20000 0x01bdffff Memory Mapped File rw False False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
private_0x0000000002480000 0x02480000 0x024fffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #37: taskkill.exe
0 0
»
Information Value
ID #37
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xca0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA4
0x D54
0x D88
0x D98
0x D9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernelbase.dll.mui 0x002f0000 0x003affff Memory Mapped File rw False False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
sortdefault.nls 0x01ed0000 0x0219efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x00000000023f0000 0x023f0000 0x0246ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #38: taskkill.exe
0 0
»
Information Value
ID #38
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xccc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CD0
0x DC0
0x E08
0x E1C
0x E20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0039ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x01beffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bf0000 0x01caffff Memory Mapped File rw False False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File r False False False -
private_0x0000000002190000 0x02190000 0x0220ffff Private Memory rw True False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #39: taskkill.exe
0 0
»
Information Value
ID #39
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF0
0x DAC
0x E00
0x E10
0x E14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernelbase.dll.mui 0x004c0000 0x0057ffff Memory Mapped File rw False False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00727fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000730000 0x00730000 0x008b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008c0000 0x008c0000 0x01cbffff Pagefile Backed Memory r True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory rw True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
sortdefault.nls 0x02170000 0x0243efff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #40: taskkill.exe
0 0
»
Information Value
ID #40
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd28
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D2C
0x E4C
0x E8C
0x EA0
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #41: taskkill.exe
0 0
»
Information Value
ID #41
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D4C
0x E80
0x E90
0x EB0
0x EB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #42: taskkill.exe
0 0
»
Information Value
ID #42
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DB8
0x E84
0x E98
0x ED0
0x ED4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #43: taskkill.exe
0 0
»
Information Value
ID #43
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
0x EA8
0x F08
0x F28
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x001b0000 0x001f4fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b80000 0x01c3ffff Memory Mapped File rw False False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01fdffff Private Memory rw True False False -
private_0x0000000002120000 0x02120000 0x0219ffff Private Memory rw True False False -
sortdefault.nls 0x021a0000 0x0246efff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4590000 0x7fef46b4fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #44: taskkill.exe
0 0
»
Information Value
ID #44
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe3c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E40
0x F04
0x F18
0x F30
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #45: taskkill.exe
0 0
»
Information Value
ID #45
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe58
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E5C
0x F0C
0x F68
0x F7C
0x F80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #46: taskkill.exe
0 0
»
Information Value
ID #46
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeb8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EBC
0x F44
0x F84
0x F88
0x F8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #47: taskkill.exe
0 0
»
Information Value
ID #47
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EE4
0x F90
0x FA0
0x FB8
0x FBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff6c0000 0xff6defff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #48: net.exe
0 0
»
Information Value
ID #48
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf1c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #49: net.exe
0 0
»
Information Value
ID #49
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #50: net.exe
0 0
»
Information Value
ID #50
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf5c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #51: net.exe
0 0
»
Information Value
ID #51
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #52: net.exe
0 0
»
Information Value
ID #52
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #53: net1.exe
17 0
»
Information Value
ID #53
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfd4
Parent PID 0xf1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffda0000 0xffdd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffda0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 124020 True 1
Fn
Process #54: net1.exe
17 0
»
Information Value
ID #54
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfdc
Parent PID 0xf38 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffda0000 0xffdd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffda0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 124114 True 1
Fn
Process #55: net1.exe
17 0
»
Information Value
ID #55
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff4
Parent PID 0xf5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffda0000 0xffdd2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffda0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:32 (UTC) True 1
Fn
Get Time type = Ticks, time = 124223 True 1
Fn
Process #56: net.exe
0 0
»
Information Value
ID #56
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 934
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #57: net.exe
0 0
»
Information Value
ID #57
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc8c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #58: net1.exe
17 0
»
Information Value
ID #58
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd00
Parent PID 0xfac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 124597 True 1
Fn
Process #59: net1.exe
17 0
»
Information Value
ID #59
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0xfc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 124707 True 1
Fn
Process #60: net.exe
0 0
»
Information Value
ID #60
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #61: net.exe
0 0
»
Information Value
ID #61
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #62: net1.exe
17 0
»
Information Value
ID #62
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xc8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdd0000 0xffe02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 124972 True 1
Fn
Process #63: net.exe
0 0
»
Information Value
ID #63
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf50
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #64: net.exe
0 0
»
Information Value
ID #64
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #65: net.exe
0 0
»
Information Value
ID #65
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfdc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #66: net1.exe
17 0
»
Information Value
ID #66
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf60
Parent PID 0x8a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 125721 True 1
Fn
Process #67: net1.exe
17 0
»
Information Value
ID #67
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0xde4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 125877 True 1
Fn
Process #68: net1.exe
17 0
»
Information Value
ID #68
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcf4
Parent PID 0xe60 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 125877 True 1
Fn
Process #69: net.exe
0 0
»
Information Value
ID #69
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xca8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #70: net.exe
0 0
»
Information Value
ID #70
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xffc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #71: net1.exe
17 0
»
Information Value
ID #71
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc4c
Parent PID 0xf50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 126438 True 1
Fn
Process #72: net1.exe
17 0
»
Information Value
ID #72
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd30
Parent PID 0xff8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 126485 True 1
Fn
Process #73: net.exe
0 0
»
Information Value
ID #73
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #74: net.exe
0 0
»
Information Value
ID #74
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #75: net1.exe
17 0
»
Information Value
ID #75
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf20
Parent PID 0xfdc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 127390 True 1
Fn
Process #76: net1.exe
17 0
»
Information Value
ID #76
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0xca8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File r False False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 127530 True 1
Fn
Process #77: net1.exe
17 0
»
Information Value
ID #77
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:26, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0xe54 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 127562 True 1
Fn
Process #78: net.exe
0 0
»
Information Value
ID #78
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #79: net1.exe
17 0
»
Information Value
ID #79
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc24
Parent PID 0xffc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 127733 True 1
Fn
Process #80: net.exe
0 0
»
Information Value
ID #80
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #81: net.exe
0 0
»
Information Value
ID #81
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #82: net1.exe
17 0
»
Information Value
ID #82
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1010
Parent PID 0xfac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1014
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 129496 True 1
Fn
Process #83: net.exe
0 0
»
Information Value
ID #83
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x101c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1020
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #84: net.exe
0 0
»
Information Value
ID #84
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1068
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 106C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #85: net1.exe
17 0
»
Information Value
ID #85
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1074
Parent PID 0x101c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1078
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 130526 True 1
Fn
Process #86: net1.exe
17 0
»
Information Value
ID #86
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x107c
Parent PID 0x8a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1080
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffd0000 0x100002fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffd0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 130557 True 1
Fn
Process #87: net.exe
0 0
»
Information Value
ID #87
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10b8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #88: net1.exe
17 0
»
Information Value
ID #88
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10c0
Parent PID 0xcb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 130900 True 1
Fn
Process #89: net1.exe
17 0
»
Information Value
ID #89
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10d4
Parent PID 0xe60 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 131118 True 1
Fn
Process #90: net1.exe
17 0
»
Information Value
ID #90
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10dc
Parent PID 0x1068 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff90000 0xfffc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 131446 True 1
Fn
Process #91: net.exe
0 0
»
Information Value
ID #91
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10ec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #92: net.exe
0 0
»
Information Value
ID #92
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1108
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 110C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #93: net.exe
0 0
»
Information Value
ID #93
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x111c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1120
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #94: net1.exe
17 0
»
Information Value
ID #94
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:29, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1140
Parent PID 0x1108 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1144
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 131976 True 1
Fn
Process #95: net.exe
0 0
»
Information Value
ID #95
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1148
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 114C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #96: net1.exe
17 0
»
Information Value
ID #96
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1158
Parent PID 0x10b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 115C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 132070 True 1
Fn
Process #97: net1.exe
17 0
»
Information Value
ID #97
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1160
Parent PID 0x10ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1164
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 132101 True 1
Fn
Process #98: net.exe
0 0
»
Information Value
ID #98
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1170
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1174
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #99: net.exe
0 0
»
Information Value
ID #99
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x119c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #100: net1.exe
17 0
»
Information Value
ID #100
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11a8
Parent PID 0x111c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff740000 0xff772fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8260000 0x7fef8271fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff740000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 132600 True 1
Fn
Process #101: net.exe
0 0
»
Information Value
ID #101
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11b8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #102: net.exe
0 0
»
Information Value
ID #102
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11d0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #103: net.exe
0 0
»
Information Value
ID #103
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1200
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1204
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #104: net1.exe
17 0
»
Information Value
ID #104
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1220
Parent PID 0x119c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1224
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 133115 True 1
Fn
Process #105: net1.exe
17 0
»
Information Value
ID #105
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1234
Parent PID 0x1148 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1238
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 133240 True 1
Fn
Process #106: net.exe
0 0
»
Information Value
ID #106
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x123c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1240
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #107: net1.exe
17 0
»
Information Value
ID #107
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1248
Parent PID 0x11b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 124C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 133318 True 1
Fn
Process #108: net1.exe
17 0
»
Information Value
ID #108
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1250
Parent PID 0x1170 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1254
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 133349 True 1
Fn
Process #109: net1.exe
17 0
»
Information Value
ID #109
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1258
Parent PID 0x11d0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 125C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 133458 True 1
Fn
Process #110: net.exe
0 0
»
Information Value
ID #110
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:08
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x126c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1270
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #111: net1.exe
17 0
»
Information Value
ID #111
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1278
Parent PID 0x1200 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 127C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 134114 True 1
Fn
Process #112: net.exe
0 0
»
Information Value
ID #112
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1290
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1294
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #113: net1.exe
17 0
»
Information Value
ID #113
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x12a0
Parent PID 0x123c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9d0000 0xffa02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 135034 True 1
Fn
Process #114: net.exe
0 0
»
Information Value
ID #114
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12b0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #115: net.exe
0 0
»
Information Value
ID #115
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12d0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #116: net1.exe
17 0
»
Information Value
ID #116
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1374
Parent PID 0x1290 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1378
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8d0000 0xff902fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 137109 True 1
Fn
Process #117: net.exe
0 0
»
Information Value
ID #117
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1380
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1384
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #118: net1.exe
17 0
»
Information Value
ID #118
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf20
Parent PID 0x1380 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 139745 True 1
Fn
Process #119: net1.exe
17 0
»
Information Value
ID #119
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0x12d0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 139792 True 1
Fn
Process #120: net1.exe
17 0
»
Information Value
ID #120
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xee8
Parent PID 0x126c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 139823 True 1
Fn
Process #121: net1.exe
17 0
»
Information Value
ID #121
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff4
Parent PID 0x12b0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 139870 True 1
Fn
Process #122: net.exe
0 0
»
Information Value
ID #122
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #123: net.exe
0 0
»
Information Value
ID #123
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfdc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #124: net.exe
0 0
»
Information Value
ID #124
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1010
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #125: net1.exe
17 0
»
Information Value
ID #125
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xca8
Parent PID 0xec0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 140447 True 1
Fn
Process #126: net1.exe
17 0
»
Information Value
ID #126
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0xfdc (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 140478 True 1
Fn
Process #127: net.exe
0 0
»
Information Value
ID #127
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1078
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1080
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #128: net.exe
0 0
»
Information Value
ID #128
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xce8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 101C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #129: net.exe
0 0
»
Information Value
ID #129
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdf0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #130: net.exe
0 0
»
Information Value
ID #130
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10e8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1024
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #131: net1.exe
17 0
»
Information Value
ID #131
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x10d8
Parent PID 0x1010 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 141009 True 1
Fn
Process #132: net1.exe
17 0
»
Information Value
ID #132
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x10b0
Parent PID 0x1078 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 140993 True 1
Fn
Process #133: net1.exe
17 0
»
Information Value
ID #133
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0xce8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1048
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe00000 0xffe32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 141165 True 1
Fn
Process #134: net.exe
0 0
»
Information Value
ID #134
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1114
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #135: net.exe
0 0
»
Information Value
ID #135
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x106c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1068
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #136: net.exe
0 0
»
Information Value
ID #136
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x112c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1150
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #137: net.exe
0 0
»
Information Value
ID #137
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd70
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1108
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #138: net1.exe
17 0
»
Information Value
ID #138
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1110
Parent PID 0x10e8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 141617 True 1
Fn
Process #139: net1.exe
17 0
»
Information Value
ID #139
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1158
Parent PID 0xdf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1134
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 141742 True 1
Fn
Process #140: net1.exe
17 0
»
Information Value
ID #140
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10bc
Parent PID 0x112c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1160
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 141695 True 1
Fn
Process #141: net.exe
0 0
»
Information Value
ID #141
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10b8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1104
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #142: net.exe
0 0
»
Information Value
ID #142
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11b4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #143: net1.exe
17 0
»
Information Value
ID #143
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1138
Parent PID 0x1114 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 142054 True 1
Fn
Process #144: net1.exe
17 0
»
Information Value
ID #144
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11d8
Parent PID 0x106c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 117C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 142085 True 1
Fn
Process #145: net.exe
0 0
»
Information Value
ID #145
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1214
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1208
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #146: net1.exe
17 0
»
Information Value
ID #146
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1224
Parent PID 0xd70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1238
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 142366 True 1
Fn
Process #147: net1.exe
17 0
»
Information Value
ID #147
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1220
Parent PID 0x10b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1234
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 142475 True 1
Fn
Process #148: net.exe
0 0
»
Information Value
ID #148
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1218
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #149: net.exe
0 0
»
Information Value
ID #149
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1284
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #150: net1.exe
17 0
»
Information Value
ID #150
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1228
Parent PID 0x11b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 142709 True 1
Fn
Process #151: net.exe
0 0
»
Information Value
ID #151
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12c4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #152: net.exe
0 0
»
Information Value
ID #152
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9e4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #153: net.exe
0 0
»
Information Value
ID #153
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11d0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1230
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #154: net1.exe
17 0
»
Information Value
ID #154
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x127c
Parent PID 0x1218 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 143115 True 1
Fn
Process #155: net1.exe
17 0
»
Information Value
ID #155
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x988
Parent PID 0x1214 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 143146 True 1
Fn
Process #156: net1.exe
17 0
»
Information Value
ID #156
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x99c
Parent PID 0x12c4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 143271 True 1
Fn
Process #157: net.exe
0 0
»
Information Value
ID #157
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #158: net.exe
0 0
»
Information Value
ID #158
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12ec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #159: net1.exe
17 0
»
Information Value
ID #159
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12f0
Parent PID 0x1284 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 143505 True 1
Fn
Process #160: net.exe
0 0
»
Information Value
ID #160
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12f8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 77C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #161: net1.exe
17 0
»
Information Value
ID #161
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1278
Parent PID 0x9e4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 144020 True 1
Fn
Process #162: net1.exe
17 0
»
Information Value
ID #162
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x130c
Parent PID 0x11d0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 143832 True 1
Fn
Process #163: net.exe
0 0
»
Information Value
ID #163
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x420
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1310
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #164: net1.exe
17 0
»
Information Value
ID #164
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0x12f8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 143942 True 1
Fn
Process #165: net1.exe
17 0
»
Information Value
ID #165
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1318
Parent PID 0xa70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 144113 True 1
Fn
Process #166: net.exe
0 0
»
Information Value
ID #166
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #167: net.exe
0 0
»
Information Value
ID #167
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x80c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 544
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #168: net1.exe
17 0
»
Information Value
ID #168
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x324
Parent PID 0x12ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1334
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff630000 0xff662fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff630000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 144285 True 1
Fn
Process #169: net.exe
0 0
»
Information Value
ID #169
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9f4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #170: net.exe
0 0
»
Information Value
ID #170
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1204
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #171: net.exe
0 0
»
Information Value
ID #171
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x121c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1288
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #172: net1.exe
17 0
»
Information Value
ID #172
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb40
Parent PID 0x420 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb60000 0xffb92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 144581 True 1
Fn
Process #173: net1.exe
17 0
»
Information Value
ID #173
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0xa24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb60000 0xffb92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 144722 True 1
Fn
Process #174: net1.exe
17 0
»
Information Value
ID #174
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa5c
Parent PID 0x80c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb60000 0xffb92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 144722 True 1
Fn
Process #175: net.exe
0 0
»
Information Value
ID #175
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #176: net.exe
0 0
»
Information Value
ID #176
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x538
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 24C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #177: net1.exe
17 0
»
Information Value
ID #177
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8dc
Parent PID 0x9a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 145065 True 1
Fn
Process #178: net.exe
0 0
»
Information Value
ID #178
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 764
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #179: net1.exe
17 0
»
Information Value
ID #179
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb78
Parent PID 0x121c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 145299 True 1
Fn
Process #180: net.exe
0 0
»
Information Value
ID #180
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #181: net1.exe
17 0
»
Information Value
ID #181
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb58
Parent PID 0x9f4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 145330 True 1
Fn
Process #182: net.exe
0 0
»
Information Value
ID #182
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x51c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #183: net.exe
0 0
»
Information Value
ID #183
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #184: net1.exe
17 0
»
Information Value
ID #184
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0x828 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 918
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 145751 True 1
Fn
Process #185: net.exe
0 0
»
Information Value
ID #185
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1200
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1260
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #186: net1.exe
17 0
»
Information Value
ID #186
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1340
Parent PID 0x538 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 590
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 145938 True 1
Fn
Process #187: net1.exe
17 0
»
Information Value
ID #187
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1e0
Parent PID 0x9c0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1344
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 145876 True 1
Fn
Process #188: net1.exe
17 0
»
Information Value
ID #188
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x510
Parent PID 0xb34 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 145954 True 1
Fn
Process #189: net1.exe
17 0
»
Information Value
ID #189
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1348
Parent PID 0x51c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff970000 0xff9a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff970000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 145954 True 1
Fn
Process #190: net.exe
0 0
»
Information Value
ID #190
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1350
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #191: net.exe
0 0
»
Information Value
ID #191
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc58
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1358
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #192: net1.exe
17 0
»
Information Value
ID #192
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa88
Parent PID 0x1200 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 570
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 146516 True 1
Fn
Process #193: net1.exe
17 0
»
Information Value
ID #193
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8f8
Parent PID 0xc4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 146469 True 1
Fn
Process #194: net.exe
0 0
»
Information Value
ID #194
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa8c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #195: net.exe
0 0
»
Information Value
ID #195
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x418
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 55C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #196: net1.exe
17 0
»
Information Value
ID #196
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0x1350 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6d0000 0xff702fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 146890 True 1
Fn
Process #197: net1.exe
17 0
»
Information Value
ID #197
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x49c
Parent PID 0xc58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6d0000 0xff702fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 146843 True 1
Fn
Process #198: net.exe
0 0
»
Information Value
ID #198
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1368
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #199: net.exe
0 0
»
Information Value
ID #199
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x90c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #200: net.exe
0 0
»
Information Value
ID #200
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9ec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 994
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #201: net1.exe
17 0
»
Information Value
ID #201
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0xa8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 147233 True 1
Fn
Process #202: net1.exe
17 0
»
Information Value
ID #202
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x137c
Parent PID 0x418 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 147280 True 1
Fn
Process #203: net.exe
0 0
»
Information Value
ID #203
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd08
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #204: net.exe
0 0
»
Information Value
ID #204
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8ec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #205: net1.exe
17 0
»
Information Value
ID #205
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0x1368 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff390000 0xff3c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff390000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 147592 True 1
Fn
Process #206: net.exe
0 0
»
Information Value
ID #206
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #207: net1.exe
17 0
»
Information Value
ID #207
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x90c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4c0000 0xff4f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 147966 True 1
Fn
Process #208: net1.exe
17 0
»
Information Value
ID #208
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc80
Parent PID 0xd08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4c0000 0xff4f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 148029 True 1
Fn
Process #209: net1.exe
17 0
»
Information Value
ID #209
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x584
Parent PID 0x9ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4c0000 0xff4f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 147904 True 1
Fn
Process #210: net.exe
0 0
»
Information Value
ID #210
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc10
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #211: net.exe
0 0
»
Information Value
ID #211
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x924
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #212: net.exe
0 0
»
Information Value
ID #212
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x950
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #213: net1.exe
17 0
»
Information Value
ID #213
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9a0
Parent PID 0xc68 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 920
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4c0000 0xff4f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 148388 True 1
Fn
Process #214: net1.exe
17 0
»
Information Value
ID #214
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb18
Parent PID 0x8ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 944
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4c0000 0xff4f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 148310 True 1
Fn
Process #215: net.exe
0 0
»
Information Value
ID #215
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x824
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #216: net.exe
0 0
»
Information Value
ID #216
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x228
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 260
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #217: net.exe
0 0
»
Information Value
ID #217
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #218: net1.exe
17 0
»
Information Value
ID #218
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa80
Parent PID 0x950 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 148809 True 1
Fn
Process #219: net1.exe
17 0
»
Information Value
ID #219
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xad4
Parent PID 0xc10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 148996 True 1
Fn
Process #220: net1.exe
17 0
»
Information Value
ID #220
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7cc
Parent PID 0x924 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 149121 True 1
Fn
Process #221: net.exe
0 0
»
Information Value
ID #221
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #222: net.exe
0 0
»
Information Value
ID #222
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #223: net1.exe
17 0
»
Information Value
ID #223
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0x824 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 149433 True 1
Fn
Process #224: net1.exe
17 0
»
Information Value
ID #224
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x92c
Parent PID 0xaf8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 708
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 149526 True 1
Fn
Process #225: net1.exe
17 0
»
Information Value
ID #225
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcac
Parent PID 0x228 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 149542 True 1
Fn
Process #226: net.exe
0 0
»
Information Value
ID #226
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd04
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #227: net.exe
0 0
»
Information Value
ID #227
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13c0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #228: net.exe
0 0
»
Information Value
ID #228
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe14
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #229: net1.exe
17 0
»
Information Value
ID #229
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xea4
Parent PID 0x7e8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 149807 True 1
Fn
Process #230: net.exe
0 0
»
Information Value
ID #230
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeb0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #231: net.exe
0 0
»
Information Value
ID #231
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc88
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #232: net1.exe
17 0
»
Information Value
ID #232
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xca4
Parent PID 0xb70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1338
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 150057 True 1
Fn
Process #233: net1.exe
17 0
»
Information Value
ID #233
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdac
Parent PID 0xd04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 150057 True 1
Fn
Process #234: net1.exe
17 0
»
Information Value
ID #234
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x13c0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 150072 True 1
Fn
Process #235: net1.exe
17 0
»
Information Value
ID #235
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe80
Parent PID 0xe14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff180000 0xff1b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff180000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 150228 True 1
Fn
Process #236: net.exe
0 0
»
Information Value
ID #236
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe84
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #237: net.exe
0 0
»
Information Value
ID #237
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd20
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #238: net.exe
0 0
»
Information Value
ID #238
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1290
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1360
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #239: net.exe
0 0
»
Information Value
ID #239
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1264
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #240: net1.exe
17 0
»
Information Value
ID #240
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x11b8
Parent PID 0xc88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 150603 True 1
Fn
Process #241: net1.exe
17 0
»
Information Value
ID #241
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0xeb0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 150712 True 1
Fn
Process #242: net1.exe
17 0
»
Information Value
ID #242
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcb4
Parent PID 0x1290 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
locale.nls 0x00190000 0x001f6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 150665 True 1
Fn
Process #243: net.exe
0 0
»
Information Value
ID #243
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc98
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #244: net.exe
0 0
»
Information Value
ID #244
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd40
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #245: net1.exe
17 0
»
Information Value
ID #245
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe68
Parent PID 0xe84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1390
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 150946 True 1
Fn
Process #246: net1.exe
17 0
»
Information Value
ID #246
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0xd20 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5c0000 0xff5f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 150977 True 1
Fn
Process #247: net.exe
0 0
»
Information Value
ID #247
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #248: net.exe
0 0
»
Information Value
ID #248
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12b4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #249: net.exe
0 0
»
Information Value
ID #249
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #250: net1.exe
19 0
»
Information Value
ID #250
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf30
Parent PID 0xc40 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff480000 0xff4b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff480000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (4)
»
Operation Additional Information Success Count Logfile
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:46:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 151539 True 1
Fn
Process #251: net.exe
0 0
»
Information Value
ID #251
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1014
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #252: net1.exe
17 0
»
Information Value
ID #252
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf8c
Parent PID 0x1264 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff480000 0xff4b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff480000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 151679 True 1
Fn
Process #253: net1.exe
17 0
»
Information Value
ID #253
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0xd40 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff480000 0xff4b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff480000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 151679 True 1
Fn
Process #254: net1.exe
17 0
»
Information Value
ID #254
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe40
Parent PID 0x12b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1384
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff480000 0xff4b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff480000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 151695 True 1
Fn
Process #255: net1.exe
17 0
»
Information Value
ID #255
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe3c
Parent PID 0xc98 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff480000 0xff4b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff480000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 151695 True 1
Fn
Process #256: net.exe
0 0
»
Information Value
ID #256
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe50
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1380
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #257: net.exe
0 0
»
Information Value
ID #257
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf84
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #258: net.exe
0 0
»
Information Value
ID #258
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #259: net1.exe
17 0
»
Information Value
ID #259
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1030
Parent PID 0xe54 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 152241 True 1
Fn
Process #260: net1.exe
20 0
»
Information Value
ID #260
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xea8
Parent PID 0xfbc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3f0000 0xff422fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 44 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 152272 True 1
Fn
Process #261: net.exe
0 0
»
Information Value
ID #261
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #262: net.exe
0 0
»
Information Value
ID #262
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe5c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 129C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #263: net1.exe
17 0
»
Information Value
ID #263
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x126c
Parent PID 0xe50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff910000 0xff942fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff910000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 152818 True 1
Fn
Process #264: net1.exe
17 0
»
Information Value
ID #264
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12cc
Parent PID 0xf84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1280
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff910000 0xff942fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff910000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 152740 True 1
Fn
Process #265: net1.exe
17 0
»
Information Value
ID #265
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe8
Parent PID 0xfa0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff910000 0xff942fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff910000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 152771 True 1
Fn
Process #266: net.exe
0 0
»
Information Value
ID #266
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe74
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #267: net.exe
0 0
»
Information Value
ID #267
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfcc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #268: net.exe
0 0
»
Information Value
ID #268
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf24
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #269: net.exe
0 0
»
Information Value
ID #269
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc9c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 105C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #270: net.exe
0 0
»
Information Value
ID #270
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10c8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #271: net.exe
0 0
»
Information Value
ID #271
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #272: net.exe
0 0
»
Information Value
ID #272
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #273: net.exe
0 0
»
Information Value
ID #273
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1074
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #274: net.exe
0 0
»
Information Value
ID #274
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x101c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 102C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #275: net.exe
0 0
»
Information Value
ID #275
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1158
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1100
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #276: net1.exe
17 0
»
Information Value
ID #276
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x10bc
Parent PID 0xfec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 153692 True 1
Fn
Process #277: net1.exe
17 0
»
Information Value
ID #277
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x113c
Parent PID 0xfb0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 153582 True 1
Fn
Process #278: net1.exe
17 0
»
Information Value
ID #278
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdf0
Parent PID 0x1074 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1008
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 153598 True 1
Fn
Process #279: net.exe
0 0
»
Information Value
ID #279
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1024
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1150
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #280: net.exe
0 0
»
Information Value
ID #280
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10d4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #281: net1.exe
17 0
»
Information Value
ID #281
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x112c
Parent PID 0x101c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 110C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 154004 True 1
Fn
Process #282: net1.exe
17 0
»
Information Value
ID #282
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1138
Parent PID 0x1158 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 154004 True 1
Fn
Process #283: net.exe
0 0
»
Information Value
ID #283
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1140
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1178
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #284: net.exe
0 0
»
Information Value
ID #284
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1084
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1120
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #285: net1.exe
17 0
»
Information Value
ID #285
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1274
Parent PID 0x1024 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 124C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 154347 True 1
Fn
Process #286: net1.exe
17 0
»
Information Value
ID #286
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1220
Parent PID 0x10d4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1238
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 154362 True 1
Fn
Process #287: net.exe
0 0
»
Information Value
ID #287
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1224
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1128
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #288: net.exe
0 0
»
Information Value
ID #288
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd6c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #289: net1.exe
17 0
»
Information Value
ID #289
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11e8
Parent PID 0x1140 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 111C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 154737 True 1
Fn
Process #290: net1.exe
17 0
»
Information Value
ID #290
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1174
Parent PID 0x1084 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff700000 0xff732fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef46a0000 0x7fef46b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff700000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 154799 True 1
Fn
Process #291: net.exe
0 0
»
Information Value
ID #291
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9b8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #292: net.exe
0 0
»
Information Value
ID #292
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12a4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1194
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #293: net.exe
0 0
»
Information Value
ID #293
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8b0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 95C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #294: net1.exe
17 0
»
Information Value
ID #294
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0x9b8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155704 True 1
Fn
Process #295: net1.exe
17 0
»
Information Value
ID #295
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1320
Parent PID 0x1224 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 131C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155735 True 1
Fn
Process #296: net1.exe
17 0
»
Information Value
ID #296
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0xd6c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155766 True 1
Fn
Process #297: net.exe
0 0
»
Information Value
ID #297
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12a0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 130C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #298: net1.exe
17 0
»
Information Value
ID #298
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0x12a4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1318
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155876 True 1
Fn
Process #299: net1.exe
17 0
»
Information Value
ID #299
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1278
Parent PID 0xe5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 156219 True 1
Fn
Process #300: net1.exe
17 0
»
Information Value
ID #300
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x11d0
Parent PID 0xf24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155954 True 1
Fn
Process #301: net1.exe
17 0
»
Information Value
ID #301
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x908
Parent PID 0xef4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 155985 True 1
Fn
Process #302: net1.exe
17 0
»
Information Value
ID #302
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9e4
Parent PID 0xe74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 156328 True 1
Fn
Process #303: net1.exe
17 0
»
Information Value
ID #303
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1324
Parent PID 0xc9c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 156063 True 1
Fn
Process #304: net.exe
0 0
»
Information Value
ID #304
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4e4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 77C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #305: net.exe
0 0
»
Information Value
ID #305
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa50
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #306: net1.exe
17 0
»
Information Value
ID #306
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0x10c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 156796 True 1
Fn
Process #307: net1.exe
17 0
»
Information Value
ID #307
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b0
Parent PID 0x8b0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 156843 True 1
Fn
Process #308: net.exe
0 0
»
Information Value
ID #308
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x420
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1328
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #309: net1.exe
17 0
»
Information Value
ID #309
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb98
Parent PID 0xfcc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3d0000 0xff402fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3d0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 156983 True 1
Fn
Process #310: net.exe
0 0
»
Information Value
ID #310
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x80c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #311: net.exe
0 0
»
Information Value
ID #311
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_filter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x330
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #312: net.exe
0 0
»
Information Value
ID #312
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x578
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #313: net1.exe
20 0
»
Information Value
ID #313
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1204
Parent PID 0x420 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff040000 0xff072fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 70 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff040000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SSTPSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 157732 True 1
Fn
Process #314: net1.exe
17 0
»
Information Value
ID #314
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa64
Parent PID 0x4e4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff040000 0xff072fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff040000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 157763 True 1
Fn
Process #315: net1.exe
17 0
»
Information Value
ID #315
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb58
Parent PID 0x12a0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff040000 0xff072fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff040000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 157685 True 1
Fn
Process #316: net.exe
0 0
»
Information Value
ID #316
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1288
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #317: net.exe
0 0
»
Information Value
ID #317
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #318: net1.exe
17 0
»
Information Value
ID #318
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x80c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 158075 True 1
Fn
Process #319: net1.exe
17 0
»
Information Value
ID #319
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd84
Parent PID 0xa50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 158216 True 1
Fn
Process #320: net1.exe
17 0
»
Information Value
ID #320
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x918
Parent PID 0x578 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff380000 0xff3b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff380000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 158169 True 1
Fn
Process #321: net.exe
0 0
»
Information Value
ID #321
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1344
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #322: net.exe
0 0
»
Information Value
ID #322
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1e0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #323: net1.exe
17 0
»
Information Value
ID #323
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_filter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x330 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 158824 True 1
Fn
Process #324: net.exe
0 0
»
Information Value
ID #324
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #325: net1.exe
17 0
»
Information Value
ID #325
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x24c
Parent PID 0x1288 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 158949 True 1
Fn
Process #326: net.exe
0 0
»
Information Value
ID #326
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x528
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #327: net1.exe
17 0
»
Information Value
ID #327
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x5e0
Parent PID 0xa18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 159043 True 1
Fn
Process #328: net1.exe
17 0
»
Information Value
ID #328
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x360
Parent PID 0x1344 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 159074 True 1
Fn
Process #329: net.exe
0 0
»
Information Value
ID #329
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9dc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #330: net.exe
0 0
»
Information Value
ID #330
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 61C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #331: net1.exe
17 0
»
Information Value
ID #331
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc94
Parent PID 0x7e4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1260
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 159511 True 1
Fn
Process #332: net1.exe
17 0
»
Information Value
ID #332
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0x528 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1200
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 159542 True 1
Fn
Process #333: net.exe
0 0
»
Information Value
ID #333
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc0c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #334: net1.exe
20 0
»
Information Value
ID #334
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc4
Parent PID 0x9dc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 60 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = UI0DETECT True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 159932 True 1
Fn
Process #335: net1.exe
17 0
»
Information Value
ID #335
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0xc6c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 49C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 159932 True 1
Fn
Process #336: net.exe
0 0
»
Information Value
ID #336
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc5c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #337: net1.exe
17 0
»
Information Value
ID #337
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0x1e0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 135C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff50000 0xfff82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 160291 True 1
Fn
Process #338: net.exe
0 0
»
Information Value
ID #338
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1354
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #339: net.exe
0 0
»
Information Value
ID #339
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x137c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #340: net1.exe
17 0
»
Information Value
ID #340
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa8c
Parent PID 0xc0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 160509 True 1
Fn
Process #341: net.exe
0 0
»
Information Value
ID #341
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x938
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 123C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #342: net.exe
0 0
»
Information Value
ID #342
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
locale.nls 0x00190000 0x001f6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #343: net.exe
0 0
»
Information Value
ID #343
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd0c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1018
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #344: net1.exe
17 0
»
Information Value
ID #344
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x32c
Parent PID 0x137c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff930000 0xff962fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff930000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 160993 True 1
Fn
Process #345: net1.exe
17 0
»
Information Value
ID #345
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1040
Parent PID 0xc5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1038
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff930000 0xff962fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff930000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 160915 True 1
Fn
Process #346: net1.exe
17 0
»
Information Value
ID #346
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0x1354 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff930000 0xff962fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff930000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 160915 True 1
Fn
Process #347: net.exe
0 0
»
Information Value
ID #347
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #348: net1.exe
17 0
»
Information Value
ID #348
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcd8
Parent PID 0xd0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 128C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff690000 0xff6c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff690000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 161429 True 1
Fn
Process #349: net1.exe
17 0
»
Information Value
ID #349
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x3c8
Parent PID 0xc14 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 944
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff690000 0xff6c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff690000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 161320 True 1
Fn
Process #350: net1.exe
17 0
»
Information Value
ID #350
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8bc
Parent PID 0x938 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff690000 0xff6c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff690000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 161320 True 1
Fn
Process #351: net.exe
0 0
»
Information Value
ID #351
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x994
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #352: net.exe
0 0
»
Information Value
ID #352
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x920
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #353: net.exe
0 0
»
Information Value
ID #353
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #354: net.exe
0 0
»
Information Value
ID #354
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 774
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #355: net1.exe
17 0
»
Information Value
ID #355
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x7e0
Parent PID 0x81c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1c0000 0xff1f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 161866 True 1
Fn
Process #356: net.exe
0 0
»
Information Value
ID #356
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #357: net.exe
0 0
»
Information Value
ID #357
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x990
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #358: net1.exe
17 0
»
Information Value
ID #358
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbf8
Parent PID 0x994 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 162163 True 1
Fn
Process #359: net1.exe
17 0
»
Information Value
ID #359
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa3c
Parent PID 0x920 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 162194 True 1
Fn
Process #360: net1.exe
17 0
»
Information Value
ID #360
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xad4
Parent PID 0x9a0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 162225 True 1
Fn
Process #361: net.exe
0 0
»
Information Value
ID #361
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 504
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #362: net1.exe
17 0
»
Information Value
ID #362
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x708
Parent PID 0xbd0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 162693 True 1
Fn
Process #363: net1.exe
20 0
»
Information Value
ID #363
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0xbd8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 924
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 162537 True 1
Fn
Process #364: net.exe
0 0
»
Information Value
ID #364
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #365: net.exe
0 0
»
Information Value
ID #365
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #366: net.exe
0 0
»
Information Value
ID #366
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa78
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #367: net.exe
0 0
»
Information Value
ID #367
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13f4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #368: net.exe
0 0
»
Information Value
ID #368
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13fc
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #369: net1.exe
17 0
»
Information Value
ID #369
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x474
Parent PID 0xbec (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 163177 True 1
Fn
Process #370: net1.exe
17 0
»
Information Value
ID #370
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x7d8
Parent PID 0xb4c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 478
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 163192 True 1
Fn
Process #371: net1.exe
17 0
»
Information Value
ID #371
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x310
Parent PID 0x990 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 163192 True 1
Fn
Process #372: net1.exe
17 0
»
Information Value
ID #372
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0xbf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 163333 True 1
Fn
Process #373: net.exe
0 0
»
Information Value
ID #373
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd68
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #374: net1.exe
17 0
»
Information Value
ID #374
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x810
Parent PID 0xa78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb80000 0xffbb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 163489 True 1
Fn
Process #375: net.exe
0 0
»
Information Value
ID #375
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb28
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #376: net1.exe
17 0
»
Information Value
ID #376
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0x13fc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8a0000 0xff8d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 163738 True 1
Fn
Process #377: net.exe
0 0
»
Information Value
ID #377
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xda0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #378: net1.exe
17 0
»
Information Value
ID #378
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd9c
Parent PID 0x13f4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8a0000 0xff8d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 163832 True 1
Fn
Process #379: net.exe
0 0
»
Information Value
ID #379
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd04
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #380: net1.exe
17 0
»
Information Value
ID #380
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1180
Parent PID 0xd68 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa30000 0xffa62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 164035 True 1
Fn
Process #381: net.exe
0 0
»
Information Value
ID #381
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #382: net1.exe
17 0
»
Information Value
ID #382
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0xda0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 164518 True 1
Fn
Process #383: net.exe
0 0
»
Information Value
ID #383
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd38
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #384: net1.exe
17 0
»
Information Value
ID #384
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xeb0
Parent PID 0xb28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165361 True 1
Fn
Process #385: net.exe
0 0
»
Information Value
ID #385
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 344
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #386: net1.exe
17 0
»
Information Value
ID #386
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x1148
Parent PID 0xd04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165329 True 1
Fn
Process #387: net1.exe
17 0
»
Information Value
ID #387
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1360
Parent PID 0xea0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165345 True 1
Fn
Process #388: net.exe
0 0
»
Information Value
ID #388
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6b4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #389: net.exe
0 0
»
Information Value
ID #389
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1390
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #390: net.exe
0 0
»
Information Value
ID #390
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf5c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #391: net.exe
0 0
»
Information Value
ID #391
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf4
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #392: net.exe
0 0
»
Information Value
ID #392
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1258
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #393: net.exe
0 0
»
Information Value
ID #393
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd20
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #394: net.exe
0 0
»
Information Value
ID #394
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x288
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #395: net1.exe
17 0
»
Information Value
ID #395
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf34
Parent PID 0xf5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165376 True 1
Fn
Process #396: net1.exe
17 0
»
Information Value
ID #396
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1270
Parent PID 0xcf4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165376 True 1
Fn
Process #397: net1.exe
17 0
»
Information Value
ID #397
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe7c
Parent PID 0x1258 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:13 (UTC) True 1
Fn
Get Time type = Ticks, time = 165127 True 1
Fn
Process #398: net.exe
0 0
»
Information Value
ID #398
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd28
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #399: net1.exe
17 0
»
Information Value
ID #399
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xd20 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 165813 True 1
Fn
Process #400: net1.exe
17 0
»
Information Value
ID #400
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12b4
Parent PID 0x288 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 165860 True 1
Fn
Process #401: net.exe
0 0
»
Information Value
ID #401
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12b0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #402: net1.exe
17 0
»
Information Value
ID #402
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd60
Parent PID 0x1390 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 166312 True 1
Fn
Process #403: net1.exe
17 0
»
Information Value
ID #403
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0x6b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 440
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 165953 True 1
Fn
Process #404: net.exe
0 0
»
Information Value
ID #404
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf10
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #405: net1.exe
17 0
»
Information Value
ID #405
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xde8
Parent PID 0xdb4 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 166359 True 1
Fn
Process #406: net1.exe
20 0
»
Information Value
ID #406
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0xd38 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 55 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = NETMSMQACTIVATOR True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 166219 True 1
Fn
Process #407: net1.exe
17 0
»
Information Value
ID #407
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1030
Parent PID 0xd28 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef43a0000 0x7fef43b1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 166484 True 1
Fn
Process #408: net.exe
0 0
»
Information Value
ID #408
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1070
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #409: net.exe
0 0
»
Information Value
ID #409
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #410: net.exe
0 0
»
Information Value
ID #410
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x126c
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff5a0000 0xff5bbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #411: cmd.exe
59 0
»
Information Value
ID #411
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xf58
Parent PID 0x954 (c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
locale.nls 0x002f0000 0x00356fff Memory Mapped File r False False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c30000 0x01c30000 0x01f72fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01f80000 0x0224efff Memory Mapped File r False False False -
cmd.exe 0x4a560000 0x4a5b8fff Memory Mapped File rwx True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef8f40000 0x7fef8f47fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0xfa0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a560000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77550000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77566d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x775623d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77558290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x775617e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 167545 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #412: net1.exe
17 0
»
Information Value
ID #412
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xce8
Parent PID 0xf10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 167092 True 1
Fn
Process #413: net1.exe
20 0
»
Information Value
ID #413
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0x12b0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 167092 True 1
Fn
Process #414: net1.exe
17 0
»
Information Value
ID #414
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x12d4
Parent PID 0xec0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb10000 0xffb42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 167108 True 1
Fn
Process #415: dwm.exe
19566 0
»
Information Value
ID #415
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:04, Reason: Injection
Unmonitor End Time: 00:05:06, Reason: Terminated by Timeout
Monitor Duration 00:03:02
OS Process Information
»
Information Value
PID 0x448
Parent PID 0x33c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A4
0x 460
0x 454
0x 44C
0x EE4
0x 98C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00112fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x00337fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x00352fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00600fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x01a0ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001a10000 0x01a10000 0x01e02fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x01e10000 0x01e54fff Memory Mapped File r False False False -
private_0x0000000001e70000 0x01e70000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory rw True False False -
pagefile_0x0000000001f80000 0x01f80000 0x0205efff Pagefile Backed Memory r True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
private_0x0000000002170000 0x02170000 0x021effff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
sortdefault.nls 0x02490000 0x0275efff Memory Mapped File r False False False -
private_0x0000000002760000 0x02760000 0x02854fff Private Memory rw True False False -
private_0x0000000002930000 0x02930000 0x029affff Private Memory rw True False False -
private_0x0000000002a00000 0x02a00000 0x02a7ffff Private Memory rw True False False -
private_0x0000000002a90000 0x02a90000 0x02b0ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
dwm.exe 0xff310000 0xff332fff Memory Mapped File rwx False False False -
private_0x000000013f0e0000 0x13f0e0000 0x13f113fff Private Memory rwx True False False -
dxgi.dll 0x7fefa700000 0x7fefa7a6fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7fefa7b0000 0x7fefa804fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x7fefa810000 0x7fefa843fff Memory Mapped File rwx False False False -
dwmcore.dll 0x7fefa850000 0x7fefa9e1fff Memory Mapped File rwx False False False -
dwmredir.dll 0x7fefa9f0000 0x7fefaa16fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fefb970000 0x7fefba99fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefc960000 0x7fefc97dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefd8c0000 0x7fefd8f9fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e1a30 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE 1.41 KB MD5: 376371797a6ef40e0a190a67ec4d6e3d
SHA1: 110e86170db38fd97af71ebc11c0f0de11896586
SHA256: 176561bc22c7f038d487dcf8add2ad7f9ef2fa897c4f45a862256cd5542b18bc
SSDeep: 24:cYI9el+fE/DzBvd8QthLyYoHuZ4sB3AEXRJZtrDzFyOpZPCfES7Ch:7G6+M/1euhL/GmnDznpZP1h 		False
...
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.05 KB MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SSDeep: 3:/lE7L6N:+L6N 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\RyukReadMe.txt 0.78 KB MD5: 9b9b2e4a337b919c8d4cbe12cd7cfbfb
SHA1: 6f2b7a597f6d7dd660d05a3cd7fb1e2baffd863c
SHA256: a1e56b18f1d7f5e2a072a16c68436a7bd2045e6c6be1ef7710e36153b98216f8
SSDeep: 24:iVezHysv9F2Ob/87gPsoU3gMqvKHHLb1+y3RhXYa1vTn:xzSsv9FjxFiH0i51b 		False
...
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: 7389abf60b876c7c0c8d4a16fdfef2e9
SHA1: 49895b428f08f6b46dacb89b73544d28cf6ec040
SHA256: 6073ff15eb16e336e0683ea47c0ce279bb2db6a3b27a6fc9e34fa24b0faa1f81
SSDeep: 6:Rqh3CeQ9ZLAw+BFuJRqT2WQNcj2Ebe6Wl6llvIVGvnf8h+2xIM0dghy5ed9nBJr:RqhSb8wp+T2WRTTWYtIAHvgIbCyAd9BR 		False
...
C:\users\Public\PUBLIC 0.27 KB MD5: 1c48dbf119eb64cace7a301a213677c7
SHA1: 0286a4792ea55c2dd29a72a882dd3e19c490b665
SHA256: b64cb06504f8b0c8c164d4a835bd372ff129d7f9c1ea706f5dc4a16155b0c0e9
SSDeep: 6:mtNnizOoYe4wXUsnJV+ikmWAGzyhEQawysZJeyDn:YDY7+njvhQa6jeyD 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\CREDHIST 0.44 KB MD5: b2dff66e31a468df315b722d4a1d89f3
SHA1: bb67ce46518cc6780f16ff5562131f9ce808129d
SHA256: 4707c48ccfd18c2ceafea469f3acc97604e1f4b1a53892bf8c92af6ab87c84c0
SSDeep: 12:/Ur1dhjlO5kIxYBEaadQsTrFex0sbdQyzNpIdKIM/r7YE6g:/Ur13lO6/IHFexpbdQ4PgK//fYEx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.66 KB MD5: 014425ea440da23761169d6d290dc222
SHA1: c67a9c918a53541577fbc955c6f2d1e8ea445b92
SHA256: 0bb53e3ccab16134b510ee4d0765261b04f39ca88394903b0ce884423ec52538
SSDeep: 12:oHYlx8SqOC92cNiicxsBPjtk6NFIG1hjJjfQ5U8/WXCiRLiJ5SitQUhDfSTXhDAe:/lqOCIcNYubNFImh5fmAC+85FlSR/ok 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 0.66 KB MD5: 4dfcc136ba5afcec480015e3b2da043a
SHA1: 53857376ac032913bd71c211e958cc85babe1028
SHA256: 168c163e613440d48de861374a1b3035a5ba2fe8c00688b153f4359f6539c6e0
SSDeep: 12:80KG+H80ck6lp9w0X4F7pSCWmc11ST6Q/vyO6r8HjnRefx2EkKo8nIHacd8JAun:zKDH80Alp9W7pvWt11In6QNepFxnIPdY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 0.97 KB MD5: d0d455ef5a424781b8ecf205cc23105f
SHA1: 2e64c695dc6cb47dabf6ebf7c3e5d5fde8ca9912
SHA256: 1c38f0f64586de2d12c04f67e52852881e3ce222184d8fa73f1f3a480c7469d0
SSDeep: 24:KdY5w/qSic68k8w/vW1xUafnktyTl3+v8gSbuoj:Ki5yqSrfknvWgafktyJ3+v8nf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\History\History.IE5\index.dat 16.28 KB MD5: f4e031fb508a1f72396ccf9d2d6d24df
SHA1: 12696501849ae83a89451328cd6f4c839b4a6131
SHA256: e005d8341b06a0b6cf52e9847f94b7260e77ebd41cc48c3566caa158f46b67a7
SSDeep: 384:VJPQCQb6wGjctSh9JeSUFia6TbX8RDasrEnIvYoxpmkB1YtPw:VJnFOoh9JZUoa6TAResBvYGpmkBK4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qk1u27.mp3 3.64 KB MD5: d85978d305a5d39f201ba5f90fc4138f
SHA1: 58bde10ee4b51be181283c2b03844755243f831f
SHA256: fb0be068f1a5e22f85071f8e8ccfd8c6dcd94592d959236cb722da4292fdc5ca
SSDeep: 96:q9ZuRNsATJOQiCHg2mnaw3cIoaLlyktz01wmb1U9kO57kP0N:/RNnV4paKnoaLkTt1U9v5ge 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\iclh6Au7b22.bmp 47.35 KB MD5: e29ed67f204d46bb9ea943873bc95027
SHA1: a2a26c40da65ef8c47a29fdc25aae831357e02c5
SHA256: 489336520d73d9a0a99685307588a1e4a7ab546341decdd529ef505b5f27f91d
SSDeep: 768:fcLGnvT83H6eaYEdW/rGVxlv0lJw5S8Lgi6muT0QuHcGmPul/OsTpzbSkwvltxH9:ULGnb83H6enEorSRYw5S0xMTU8nPY/L4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.66 KB MD5: 6568129a76ae8a42cce5667ffd9200da
SHA1: a3acbcf8c9c1a7b469fba7eb82d8b46834b7139d
SHA256: 2aa9ee7908568b3bc1d0f1b586881a20236dd35e24df2dc3b61b6f0a32cfe515
SSDeep: 12:VXgEAokC7CYW4Wgr/zF3trYkjvSKi/9orNCFLbwzkVsvWf1JdbciE2e4aSMQLW:heC2EzF3trYkOKi/k0NzsuNJQpaw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi 0.46 KB MD5: a9086e0e1377e09d8001013b33c378e7
SHA1: fb60db4c4d93134071a561fe8b436205ba2fdc12
SHA256: 068142fcaaa2a1bbf676e254e25c09e4d15c266a768bde738dbdbcc6242d3497
SSDeep: 12:4OZlIyKlbz1W+/7hfcPeA1lSdp8mGCrMPHgQEAwn:4elIycbE+Nfc11l+fyAQEjn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.38 KB MD5: 130658cb201bd78dfadf78f28c8ff6ad
SHA1: dbf0f682252f86c6dd307747bb5d86a6263f51c9
SHA256: e1ff442d662e632a7dd4694bf97d619e351d782e8fcbd557a912fbb800c9aa7c
SSDeep: 12288:/I+OPj4cJjwr4ai/I9sGR1nGuNANn8pHa7bznBczR+iBLXAHHNt0:/I+OPccddap9sw1Gt2pYb7fi9Utt0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\lTL2tTUj.docx 17.05 KB MD5: d1deb085a952a7962f8d2976aa77ff5b
SHA1: ae3e8681324bfc3ebfe5a5d866893d6f70344eb0
SHA256: 31b9e22935b318f571e13835f608403d6eeb39e4fdb10e52308c237c9b9bb33d
SSDeep: 384:2jO2dvbKPbcBLw//EPt68eUOt65HjrD7KbL4kTAZiQgs:ELdWPYNq/utR5H/DObL4k6Tgs 		False
...
C:\ProgramData\Microsoft\MF\Active.GRL 14.89 KB MD5: 86484aff5782db84a785855dafe0998a
SHA1: 3a55885410f411cad9b1c307c2b6a979faf2b037
SHA256: 19911c67975052ac75e2234d23ecae23400d37c98255ecfe242aef691e284012
SSDeep: 384:G7OVkszTWM9QFv/tdeCX+38+lOu47A2HdDS:RCs2M9QFv/SA+38+pUd2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT 16.28 KB MD5: 98c71ab88197ba592970cb17e99df32d
SHA1: ae09775802dde17312ef4d26a53609210c225d23
SHA256: a396fae680948282112ea86c77af3b4ef713f79d96bd09d4ee06ddc795473cac
SSDeep: 384:PKCNatrO9FHlEylY3jw40L2oTSUuDTY7pl6ongBwqd:UR6vEyll0DTYFAo+wqd 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 0.61 KB MD5: f25dd3f3c5e86c3d46c108d002952fa8
SHA1: d60fcd0df7b274a8c08d57f0a1d70329faffe152
SHA256: 442307523afe6436b7e2db425d0cfece434d4c0417be93dc908fea8886c5978c
SSDeep: 12:bntYEB10yVrq8OgxUz+oRtrCljOsEMtRD/0Gxs0binoomxNUx7BT:JYSH9q8OgxUz+oPAEMXsGFbn9NmT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\wT3KKV5LSORECEJC.bmp 36.42 KB MD5: 212bc8c63b4495a702d23c96fbdb9f0b
SHA1: b1bbeb7f64b142e9c5d1a0cbed1ca4497f6c112f
SHA256: b126d25a1998cb0c94712f26f5ad43b7e4e3db350af45af530d6b679e73934c8
SSDeep: 768:ObAb05r9CTYOEmHfgy3qcN6e/KqkjcHcMDSEuFDVqhFkZ:Ob0qoYOvHLs8YFtZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\2Ma76pE283xtnV.m4a 3.46 KB MD5: 8bc8b255302a147dd30a301db585dd46
SHA1: 363ff54e8922afab9e5add8508d0456fbf79bb09
SHA256: 9388853529c5f6fcf4fd6a1139b88f4f173bb078dad9e7f623cb928983fe555e
SSDeep: 96:n1qO0POw5tHsobs8BQzlTdxiR2rctzDF9Yr:ot9slTKoQxDUr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 0.69 KB MD5: 6e39cc77021793888bbd31c5a97375a2
SHA1: 2fe4e9e60ab2705c39a46c5aca46105d40ed821c
SHA256: 02a91c5081e66b4aff188fae766c64b1be45d7a3b357b07277bda2bd493736a0
SSDeep: 12:iLLyDj9JFE1QK+xtVlUIS+850izWGZoqBz5ngd9Q0U+gTTTKk7ynWnJ6rmJgNjgi:inS9J3BtVlU5JZlDngA+67yWnJ6rmEf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.69 KB MD5: d678d7c9fef8f03f282108d2055d5a0d
SHA1: f42620d1a20c79c459a21d7ffba1bdd2e468873d
SHA256: 8e8210688065fc6db98a1b17007ae0708979d8e1c94c55acb21283fd645ca630
SSDeep: 12:VvCinjI1qaxNIpg0Nyyd32sznLHw2d6cWOUwMgzueztP7LTO+SdL3y58wuHbbhy4:VLnOqkIpFNzLTkuGOLMgzuwd7/O+SdLf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\0e15476d-d8fe-46ca-8099-ebdcf80f637c 0.74 KB MD5: 128ce6fd3de01cafddf9ddb98b795e9d
SHA1: 116def9e3adfb72534e2acae96320f89bc425c6c
SHA256: 342240f74d08aa8df467152280a8363f8d5cc7c5df0a1ec4ea0b4f5dfeb17365
SSDeep: 12:/kGFKTSqXTDnQZIwZ/0HBDGFg5s312uboOTUWpifiOMDetO/oAL0J8WGoemj2:MbBjDn4Iw0oFg5s31rTpbnetO/oALJD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.66 KB MD5: b05d2a32f97b584dc4b46dc7c25efc40
SHA1: 19b370f2a45074df11514291e5f959b3c97a4362
SHA256: 4839ea12cfb7c0962b4c7ac4091804f4650356b82cf2344adb28c7d576ed4310
SSDeep: 12:IiWjwAUKwVgblVW8gMqKvwfDI3mErFrmv7ZnZ7rpovDg6yTdeV//3I/X5Cj9eNbW:IjeKwcrtgMII3/mDn7rMk6/It/U 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat 32.28 KB MD5: 8ed16ef0723ee62f495ca084e0384b18
SHA1: d21fa7a5d1f2d961f1811c74e933b0c396c2fae4
SHA256: 011e007f799151b4ee12925605278a2f14b783275d8234f1dadcc4ae87ccf921
SSDeep: 768:Gz196N0wUh/6pY+X0Hi+QM8muqjxVMPbW/0NNMimQZUrhnWC9X:u6N+/eX0nQ3exg7v9KMC9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 52.99 KB MD5: 62e27dccef43dd1d9b19cce1e3934734
SHA1: a99b4b7af89734ed8c743e1e08e0315f132a8a93
SHA256: 7c587639d03420a424e19eaaf60bea9a3ffbda6c967b36f6a282f112ae6ab484
SSDeep: 768:zoUO+AWf6jif4HJKGMjHO+wIdAUUHnGmqRUWVhuGQgqPpK32GulCdLiR+UO3AXx:EUO+Aw1f4H46+wIWUGnTowKRuHO3G 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: ea2a5961945e48279ff8ab013c463883
SHA1: 8a9dada1f061807066f852d65a8c2adb1385bdaf
SHA256: 5c615f99c9e1cb386659e161249254899e785460b010b0d1c6e812ff6d003a2f
SSDeep: 48:65RpI9MuT9ZqXXTo4ze/fVg6yGd2bJkUy:658b921ze/fK6yGWy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\ReaderMessages 8.28 KB MD5: bab6a890f1efb095d25f48eac2fd7d54
SHA1: 59599a3b61293256a2783bc1c02eed2425265d1e
SHA256: d6f38648e47d72733fb5c7e4dfbccebfbaf4946cd8882ba5c14aa2ef32a581d4
SSDeep: 192:HARu+e3eZmmJc79m+Ta4NzoX+zmBVZ0KZJVUD0xW/yUCXDy+L:DbOnydTtz8om90KpUD0MKUUyS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.78 KB MD5: 4d09fa64bd2ccdc22b42975a61aaa04b
SHA1: 176836a9cf2f54bc233b14169acd7ea166d4f00a
SHA256: f86fb1f06a097cb13395fc0778da1b4d691133cb68319aad2cd4720a37477856
SSDeep: 24576:z88SXuo8kh5quLbxwYvhKh2aRbwpXqyfh:z88Vxkh5quLFIxBwVpZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\FWHyK.avi 93.60 KB MD5: b4e2f7850f5e86a01bc8f67d0cff4388
SHA1: 4df6afdf98b7733714059bce1ae86688dc5b417c
SHA256: 9d2daffcb214cb7546485ef64b2e6ca7d2ab740b21d1b4dee17ffde89c41b128
SSDeep: 1536:lw4CAnTq1oY9+okfn+dJ8YzFUZ3LeQg+y435w+yNJIstCbjqdGhDmVB57vRRMzPP:lw4Y1j9+5+4om8+yws62dcqVr7zwPUuf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.66 KB MD5: 60a5abb313810a978b621240eb7f94c1
SHA1: d5a9eaa0dda9bed856610110f9c346c71f934286
SHA256: 636b8ee1fa6acad7466b23bfd1b66da69917889b6f9f97356e5412dd456e5dea
SSDeep: 12:5i+x/34Hh8Ran/1rg9OY6GA9LIcgkd1zIpE/sirqRfrPzZI1DPxOMeUsJ9y:5i+x/34Hb/1ccuA9LVvMp8qRXKTQUsJ4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb 68.38 KB MD5: 1bf68ec2e3271c450ffdaf471ba4089b
SHA1: 1e7f210432f9a1fb97c70b16be58150d6c5c0c06
SHA256: ce0a5e650798e0addebb6e517905f48d93f3da0d5b6cf6e4616678f314ccbe58
SSDeep: 1536:HvAArtCDj0fOheDjh0ZB3IMi1JTkcGENA0X:HrCDj02heB0ZB3Il1GcLdX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 0.67 KB MD5: 3006c4e4925837d861fb0cd1e356d9aa
SHA1: 1407581a073d486e54c1a2e994ccc3274d71421a
SHA256: 1dd4b23ad3089e1db6b454e819425ef8643ea3b684d0191fd6716e85579dad68
SSDeep: 12:Fea2oytCeqES5HmwCABbdkSuf6D3if+118lFY/eEyfuy+gSdHPLUA:z2oIpkMshFuf9Eyfuyg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 0.67 KB MD5: a02b7b3a02ef1013498bdd148822eed8
SHA1: cee51209ffe8dc80fe3823cc4e5ce3a8cecc886f
SHA256: 7579daf3bb4b29c09d1dca64d2d718e5210217ddbfbaa60375e08fbd264b010b
SSDeep: 12:wVJYkaTEeppHTK0tiJ/1eux+a68Zhq2TQPXGlpJjCIuxX8ItWPi9mrjY+h7zeg:wVJYT5z5bux+a6akPXGpM9tW60HJzeg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD 128.28 KB MD5: b90ab50906368169727aff0ba43c7c00
SHA1: e193129d22a61c1f9380199872cad6686507853a
SHA256: 83a462d821b62a7c68b2fa043fb9ea2374ecf4119ad0e9a1b7c42ceba8e4e346
SSDeep: 3072:CqKFJGrHKTlyz5qmU1A/A906wmJr2mC2aimQs3keg7rqs+YI9+dos/6E:CqSJgqTlyzDU130Mr2mGimQs3kDR9/6E 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\pRZh-44MWf.wav 55.24 KB MD5: 8674a0608500003f420d61ccdf81e0a3
SHA1: a89fedce52ba809b5c2c73abed99b88593e7528e
SHA256: d6a7af86f7b993f9a86700701f96da0199259e18d17ac0ccee5c1cd27c08d6ca
SSDeep: 1536:XqmZihRcL2xPNM0+i1zSwa5z0QesQoIRG32v63gK/vbdR:nZscWNM0ewIAQBtm61/vRR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 2.00 KB MD5: a7211096421ff8d838155ca46095c91d
SHA1: b708e1f7061c9c77854deb8885b5ebce5152d885
SHA256: 5aa991f0b2a4c0aabf970873fad79bf5402f793a947a4ec03d1518c1b49835ce
SSDeep: 48:rQuR31/HCtAlA6/qtZXQbldQ3yJj10qoVuIW589DS:LX6+Q0W3yJj10qoVI58NS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\HMYApNIvjLFSVrIyNb8.flv 3.08 KB MD5: c57f05f13b72c8595b71e1308d7693eb
SHA1: f5b675bd43733b891e5eef0a91789c2fe64492b0
SHA256: 2e42090c83c7701648629113f63557a4856da4366607d86854d27709b94d8746
SSDeep: 48:rID37fZVIt6tqLcMuotumnR4lKMADlcIuXv3nEPVtiiKJNbkh4j4awJFwFU:rgDgtcq4s0QRVD7gPEP7iiwLj+Jz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.66 KB MD5: fcb6f1c33e195bc979137437e765d863
SHA1: ff78a4b290f4c272deea2c79e14f6c5ec535c9af
SHA256: a8c16f681afb3647197175871b004c50d41053f1315b60fd236d6cd3fd329317
SSDeep: 12:vZgq1fJBQALaSoSldgvdlLc5SThehkBt7IspNjNIhxyffIJNvEdnwbJ0XvpaicFR:RgEJ7oMgvY5STh7n7I2eOffITBbJ0f0L 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 1.67 KB MD5: 2548b303f69572177a6abc42b4df03dd
SHA1: 7400d9c894ec6e4ecba78ff30bdc92451ad8c497
SHA256: e81c5535344b45e1df80fc602be33a1c8daa9340f36b2e28fb5e68e44a69e2e8
SSDeep: 48:wfpcohYhcO5AVHHuzX1U8fAByxlcZgFELTcdlEwqVsA:OhEcO5MHHoaQxlcuE3cdCwW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: e4f80dd0bb617b5a927ae361af9b444a
SHA1: 0426bdf752ac6bf8c52957a1c3a65321b2277d40
SHA256: 010a34483e443bec13d7356023319a98f0e12bf14dc9432e08ad984200c00008
SSDeep: 96:/VpTXunjO30Gwswveuj8chrvhmwIG3DqJmPThMMGQAYsY4efRy3g1Cdru73+Hdq7:/PenjOdw58iFZRzqJmPajXY1fRyQErix 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 1.86 KB MD5: 6d796eed85bb6846b74ec20047dd69aa
SHA1: 779b91acb6134222da33af93511dd000170419ee
SHA256: 6987bbe61f6bc8135981671ce4fa716a3f4a905f330de0919a3fee13c19db9a6
SSDeep: 48:+vLCp09irW0zvivkNGNwrjUM+GwQTQf4wxa5WrjzwNemAC:+TkHv7swPeoQfFww7w4mAC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qztVdCi.png 9.78 KB MD5: fcabbc38d13c03e940a08ff3083ffaa2
SHA1: c3e670529b00739d878745224cea88a1cefeb9b7
SHA256: 2b204d4a62a3e5d79d3ee9c353b0131616868c85cfa2ea1f11cd71879d277e86
SSDeep: 192:ttT47Lw78hD0eJu/9EkdqtLzHiiUYmJWPsi7HEP/sPKs21z:tenwfeJMq/zCG0W7HEiKs2R 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 0.66 KB MD5: 47f920ee8daf99572ed19f6ef7f7f9fc
SHA1: c87ec8e3e9ec6b36ceca66b3e24477df4d252311
SHA256: 64e08d48f54f033668def4e59d5485da23b0b2829cdafd157686eefacda791fa
SSDeep: 12:7H4immmDKfES25mcq85kxYKCc9Un14R3PmDOUUcUti4N+wL4QzeM5Hg5jCj0uaNe:7H4iLmDK5ENp6eNcmsmSUU/ti4N+24gH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 1.75 KB MD5: de0660ac6a5f5f0207ad0e17b28ed3c4
SHA1: ee2a0b60acf7e887c69e99407fa2a8b1a4abddb0
SHA256: a87b3be97f10ace5351ced25a49e0d49b9a44f9fdfb61d2023c9622930b6a320
SSDeep: 48:8qPJWUojrh2DE742enpPY40NdJoHOBXnJiOKXR7cuxeexuaYg:h8rhrMjZlO6OB5N879Bual 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 0.67 KB MD5: 81accdd99292a5fd952304b481225c79
SHA1: cf983a29f4310ed3b21e55091dcb90e79d08a02e
SHA256: 2c711eed1fd743fa2aa8ce5c695a64de12b7780d4386f7875447d20f5ff9bc31
SSDeep: 12:b4Mpv2AuCgbylJIxUdG5zCoAs3no+4wnd0NNkgq7wKpmVF4e2wDZo3r1:Vpv2LCTLMdCozoEndl7wjWr1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 0.66 KB MD5: 8f16ab87340f7743541eb48a301af498
SHA1: 20f58cf33ce4874cc2bb9dc9549c75760e0cadfd
SHA256: fd9a6c99f66754deca4858d388937a8a8b25b9e3a012a95a8d032c2ec80ebcf4
SSDeep: 12:E4PHxygddfIeeZc8tTOJNf82G3f45rN7NCftLnMBHu41UjjMoHp9FIvDBmv:zPRXHIeOTo1rGPA3CfS9/6Q6p9m9g 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 0.78 KB MD5: f1beb593685d3c48ad092500fb488700
SHA1: d80d796a105cf17238f6b67a3cdbdc6813dca3f3
SHA256: 409c976bb0085a9e150f6b5b22dc6ba6b79261f77e0a164327d41e65130fa4dc
SSDeep: 24:do1E0TAtIu+EO0NAFRHqfygvgR7tFD2H9eYWUvY:do1EqAr5KKlCkFWUvY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms 28.28 KB MD5: 06ae3b9f7a91420ba0877000a45bc677
SHA1: 3f6d26f73d321e783c0b18592b4d6343962fc73b
SHA256: 57aa91914eca4952b8844d729821d7585d894ef8f1daf9c92a65b873269d4f4f
SSDeep: 768:x6gKhhFTbkWN/PGxTxswek3c5/MbtftwLC0rOq:xIhhRXN/IxsweV5/Mp1w++D 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.71 KB MD5: 7f806724363275d4ebe28fdd19466884
SHA1: a24aa85cccfdbd616b68d969b19405f5357722bc
SHA256: b164f1626658c0bad19acb9be08ae6c4c34e459265a35fa423a98395ec119234
SSDeep: 12:v7uv2dPbNgUOASNk+vnCcONKrwIsnHBrlbN7NKTCtbCi3q3oBljo:v7M2ik+oNKr0HBpbN7dtbn9U 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.74 KB MD5: b526b56e773ea6381cf4cce8efeb0329
SHA1: 027b19ac0861275a2ce6deb4fdcf15069e31abef
SHA256: 8bacbe59908475862410c559a1701088df23799c4b68838c63c14a45587a13c7
SSDeep: 12:IJ+lXfnD0uuCe0+zVP1I81bysLy0gXmyUXPWKHcqG0EFulmzhcnuwtbrBv:dX/D+CSzVW81FYXmyU/WAy0ExFEDbrp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeSysFnt10.lst 135.49 KB MD5: 00b8df3bcc6531c1cca89435fd18f257
SHA1: 4a4f14738dba3f5b62f93d6e3d85f3e7fef462de
SHA256: 7cd530a765bab7e3cfc21ecd7a342fb8e156aba353ca37de23c01b01a020c838
SSDeep: 3072:FkD+LqzJPgWWYi/TXXbqNNInyQGCTZbRvGWxD/B6:SjlPLWYibauGYRHW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 0.63 KB MD5: a8b89745b3a2abdea3e52b365472eb16
SHA1: 617edb71b3fe1ad033266417fc50cba23b9d9212
SHA256: e63be4d7db19ece459f409ee751856a9d8c0dfa24ac94da0926dfbace3a2af08
SSDeep: 12:r2FP7iScyMbZw+STX2uj7Y8B3e7AFCJusSKZ8n4Q3TlVWWQCyTwVFjpH:i1eScDbns7YIYAFCJ3f8nZDlVWbCyEVz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 0.67 KB MD5: e6bc9bc2e127b4fef60b4a9a22a2a45f
SHA1: 67710d57428c80e5ec525c8d25fd996923da6601
SHA256: 28e4928019aec874594aaa7de45ba48eb4cd9a7944d43a7082d479f02e5b75bc
SSDeep: 12:os4cWHVOJcsq16wctvAt6WOThJxwC0zxZiZKfAuiMEDjSDUBt/KumBg5nOTShoRY:fHcOyQRA+Dxoz7mKTw/wU3Ku2PTShn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\02540a10-7eb7-4b20-a8c7-470f8986389c 0.74 KB MD5: e65db22459e817c06b6583c20a6d1ce6
SHA1: 584fc1e8ac98f482583932a111753f0a0a544523
SHA256: cbe30d3e442bb8c1bba8611e7cfa21997630fa2623e7739683cfcd04ba505f26
SSDeep: 12:iVVDPQLKM97eVpimFrYPgWQh3eyIzrcFe8AdbNC+ACDSkU1iZGT0Hickcj8xw6Sb:iVVDol97eVsyYPNQh31rAa5CDvPZGTEz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 1.86 KB MD5: 090edaf0ce199f1066c700ba8bf3f40e
SHA1: e0410dd8fccd38a2f1e5d906c20a6bdc4dd28b17
SHA256: 45b1f8637c1582ce49d47461fa38de03895fce8560a49914bc99b5b361afe194
SSDeep: 48:C4i43Fp4c3XepRyIsU5KGhwcigOLYEgPgCh3NY3pJ+X/:643fQsIsKKG8gKYi+No+v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\GDIPFONTCACHEV1.DAT 106.55 KB MD5: 6b4ed4fd2f032b57491909c910f846ef
SHA1: 356c65bbe0d9881fd0194710516c47a33ce684b2
SHA256: 1601d3e871f8a50266716aded1d92cab572dbd5e1522ff42d19965a8230fb21a
SSDeep: 1536:/3iXvl/dc4flWCihG+NQWU7vm4o31JO4tiUemtTGbi2EnmqmypnJsBjBvs2q5uTa:/30vHtlESz7vwlJtreJEmqmIJsdBA/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.srs 2.78 KB MD5: 5a08e610f403573cb45d0a9d9d51b309
SHA1: e6a97ff248535ff69e654ccfdc2ad429706e93fb
SHA256: 2248655c9ab45fe6913e976ae517209704caa8c21cd5654c508678a515f86711
SSDeep: 48:OYujtegZOOk4s+nLqlzW5gncg8pM/ZzgTcKvox/0zWUJHy8eUfJcIQZam:AtNAcGlzMWl8yZzkpwazWUZwUx9Aam 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\EY7KeFOG-ySCD4g.avi 35.58 KB MD5: 407e962a7850e019a9dfeee80cedd424
SHA1: 4923d7be950c6ed0f5e2dfa989211d21682096fa
SHA256: 71faf936b0da1c7853235d3a1f6a47bddd21f2e93ff8729e04898e2ea6ee71e5
SSDeep: 768:wim2FleijX3QZq3OW69RybgIfbMfSdsX3fpB:wim2FleeX3QUpistwqe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\JFI9njJerEHVQTkSVe.m4a 18.33 KB MD5: 3174fda9a5f4b9c8fe3a63b9eb77689a
SHA1: ec519e6216e2b62b3def792e0f11cf45a4918676
SHA256: 528450947826aa65c4bc4fd5fe32409e3d7d3988e6e41f872a3e64acd1aefed3
SSDeep: 384:8p5g40ve6W/crxsXrKPAWwOyWR4b0FciHgDggx0EPCRZw:+5l96W1rm6WeGciHgcg+c 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\XYjsMCuBEgkqyvVcx8.gif 96.33 KB MD5: 24841a445f743f9254a242169e3765ce
SHA1: bec76866894e7570d14494b7ca5544726273a244
SHA256: cabd3817d0d6b15c69222f3a6e85f239462cd31ac2c8cebc60e46ffe15b3ed03
SSDeep: 1536:tZg7D0ndl2Nf52av18z81V9aAToiFm5+eogcnsxZmZL3ZqrB+:tpn78f592z8TToV0eoNsnqC+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.31 KB MD5: 2e70054b43b3f0457bf331506b2f2531
SHA1: 42eb7f8c001f5d576029c8216af3e22027aca593
SHA256: 522d56baeab901dd4ba24390d15859de79f23595e59e8f0c219e2e9a759f8045
SSDeep: 6:F/4ULgsrOb5N0ggDRTmJsG4F7M6vZVidAuZK/qNupRgWs2FnAkyUtSe+ouwaCaPT:FgHsY5N0ggGvcJvbkk5pRJFn5KaEl9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\u5j7OHVQVrWvJ.pps 82.00 KB MD5: a1b2625c4372251a5f58b97598f47041
SHA1: fc596284ae30e639953429a94b1d43f0d59e546a
SHA256: 3b41e0928b72d66e1552d7eb427d0a034eae10ba8c3b76d4ef8e051ef6db0627
SSDeep: 1536:+GTOiP1cDKwm5Lckw8j80/gM8aMn6/muIOCYQ6P+cZSrb2GpDvZ3QVfBrGOu5lXf:+GTOi9tpckrholn6/DVQhcZBGFu5NfuH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\mUZmPGH.avi 53.38 KB MD5: 9a598e15e2ea1a7c4dac42138eefcb81
SHA1: dcff388965272298d907d168a5335714c31cc77b
SHA256: 084da93ae7c10e864a40517c78b49bd61c77ed889e07a7ceffa092ff434647dc
SSDeep: 768:tMKeSc88Gxs/+/J2v67muu3MuJ8tTAazbs4PKydsOrS4H4LKCZJRaE:UST8Gxs/MJIANu3zoAH4K+SgDCf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: ebd4b6c08a7253885cc27a677a2a01fb
SHA1: 88ae2a633d3141f3008f46d6eacbfbea7b83d014
SHA256: 6b8dd14a1b3665abe244b842e1e95795a4dca807d96c778a29823cbe2ed6a076
SSDeep: 48:Vl6FpD7z2X8oTl3NQ2yYFBva/axYKAIw9NI3/iuaAf:bKt7zVoTBNQFY7vBxYKlj3/iun 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Gl3Cppwe_VZeT5bw.mp4 38.28 KB MD5: f240db561a66f2743b64bde37db4b16b
SHA1: 339595c690b3250eb1833a8f412c7cde6f2ea8d2
SHA256: 8bb3c1bfb09c70c4cf69eb82e01752213ae63fdd62f7a42a4ec4e0e2403ce002
SSDeep: 768:FiLwMiLBXd8dTgrfJY0TYHdKRbb5V4bT+dDy7VAYND5:++BN4Tgrfn0+PAbT+w7pND5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\UserCache.bin 75.94 KB MD5: c6834b8b73cd29eead1f69dca1c856ae
SHA1: c15b83ee48145b49cfb10a3c5a8a8b7f5fd18dad
SHA256: 9e77c028f5e93e050cbf1f44b866331cd5f3f045566eeea203c6b2541cf43d9a
SSDeep: 1536:n16vfude1934BC7YdOyJXkJpDCltgPNdiuPi/QB2qSbW540zUJDVpI8:kWS938d3kJ6gP/i2w22nWi0zUJDVpz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.xml 2.69 KB MD5: 2a0ed18b6079f1fa96873325018a2d4d
SHA1: 6e51a8383757040d420ea5832d44f891266d3b0c
SHA256: fb3dd795deadd77ff767b8d0032507ed39a3c79cdc3d249903707179f5239e76
SSDeep: 48:EEod4yzUgpc/M3QrDqfdkOBlDeJHXeDVdQAA6yXFTp6sGehu29CjQyma:ed51pk/aHBFeJeVdpyXF922Yma 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: 4c1f12a31d1e427f5c387d5a151e7737
SHA1: a3c61e1eb806d6ea59ea3ef4dadb91340def44ec
SHA256: 4a94d2b609efe4a78ea8970b1dbe0415a1dd61968ffa0416ecd551ffc2e14505
SSDeep: 24:6UB5fuWZbn8ufr8ZGuwiL3n+w6lyezANrnW5iFRtpgdBpOPHv4UIx/LWYK:6U72WZb3U9q8eEbRtpgd2HQ5YYK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Cookies\index.dat 16.28 KB MD5: 5aaffce6a4c05cff57616e6f1a63ebcf
SHA1: fd69e17858847c35ef1e41739c449282dd5af579
SHA256: 8e67cc443e87c8fbb53dfbed15173faac7858fee78f0c33fe7a5dbbda787c25e
SSDeep: 384:Q/2wwuO8RH4g1NY3CqVOExczonsswsved2K7lo2xSFBcp8i/cbx2KT:Q/3714gDEOy7FvHKBoS8a/Qoi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\2be989a0-16a1-424b-9211-51aa3bb43e5d 0.74 KB MD5: cd0281128594607038f9b0a9acf815b1
SHA1: ef51a64804f55b2cb6ac16db73ac91771a1b3db9
SHA256: 0fe44e1b79dd1717145b23b5fe5c7c85830f1fcb6bc458b64b8b44e22a6be9e9
SSDeep: 12:zQJ0YomowFzVEYj32b2nriuw36U7KTtfA8pXgHiBFId4/ko14a/zuf/zj0:UJ0YxjiPKndCR7KRfACIiBFxsorK30 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 0.69 KB MD5: d70a56f9ea694d654a4bea9dd316b0fb
SHA1: 7c01919f95b56f186524d2e61f1e18dcd61f6c65
SHA256: da004494d995a9d7818fdaae434f5e6497f97949f7b2c5e5f01f2011bc071682
SSDeep: 12:SySQ5kbQTvoJaj4P00Yil36a0ni2QyCThElML0dC3yjwKc0s1oMxNrx+63TtHSDn:SyDSQj88j039XwkTcjwKc9vx+635HSdB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat 9.27 KB MD5: 1227ad88e76bf7006bd413e8154c0742
SHA1: 45e01a726d7fe8aed4a0a296095003e516ee7975
SHA256: 28b5b4baa329d09267f314a0d410638e1875c95ebf243a8ffbbba73090dd851e
SSDeep: 192:aMTCSrb1b5Erx+j4kRwLoCObc1qS+isdcjxroD7i:aMTtrb1o64YS8lS+5dcdU2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl 37.10 KB MD5: dcd539caa24cf9d40c81309497202c72
SHA1: 63ae73a6810cde850c13cca8911dce1daad2c196
SHA256: 5c7da57340a54494c18d916f48700ad2cfacaaaf57fb13bae45788dfa3c05ac3
SSDeep: 768:HcwtbITmLwtC0wzG5q9D/RUqTEAZ6jy6J+k6lZQUdVkv89DrDziVR:LktZwyyDaqTeysA48hO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 1.75 KB MD5: 82d4dc6395630faa175ea4cd47c072eb
SHA1: d1846b705d786f4c320ddf8a448902d1e7717999
SHA256: a090dc71e05a293e4ab4a33bb798ed3b7a84b2b4612be85cdacb0830a1913700
SSDeep: 48:GJsVkEYZzabXhqr2Xy8WUmTY1IheZS1jXm:UsXYA73yDTY1Ihec1jXm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\thumbs.dat 125.28 KB MD5: dda7c3bb80de511990f397b3a18f232c
SHA1: 0eeee06f51666af7d3c7f2aa4ad9646da7938d88
SHA256: 7d4ff8a7945b2539ee937abc12b79c611b5790310898e83491aa936ced3774ad
SSDeep: 3072:CXF+A2YbLh0U8RM0JmV0hiFY2bhEoR6f53U69:hA7h0LC0hqEx53x 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: 14322a93ae5dcc84c1fed4fe5d7e16d8
SHA1: 8f160d2e09fdf5defa1cbbc2734188f0bf17bca9
SHA256: 4e0cd7c6caf862b6adacf917c996cc7099ae2abaf3ddad4a9fe2b8fdfb35cbf1
SSDeep: 96:A1gci+tt2AntNnbcyNg7+Kv+7mSyC8K1DNxcrOzk6MmKQSLl6eAXVq6NCOZLFx:A1gciJtyUhaEKfxcKzV88eWvnZLf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\LebYag.png 85.02 KB MD5: 7d2c241f3fc6a44da2cf366344e7275a
SHA1: 95360974cb94eb0d178398f6d3289801522d1abd
SHA256: 011a8f82dcdd9b203accdf76d32c190b3186e4e98fa47ac77c35ad9da14bc10b
SSDeep: 1536:+OUoiQDQl/Zi/AuKDYQ0SOw6U/7J2ts2r8/a0z8Z5GLxIRLW470cpcpt5z3dtjVd:+O369Zi/Sc7cJSs2g/aWLxIg47Bpcpjb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 1.63 KB MD5: 83bec3afdf33f4e1db6473589fa3c4f9
SHA1: 12b62d2d80110111871264f41eacb9e64c675a4c
SHA256: 0c431225163ce842aef45fceb775e5605792d848d2b5bfe7ea70b482d52c9254
SSDeep: 24:IHA/qyhJ4myhEGgLU5+FlMJ3p7fZC1ar5uyYZulJer7+Rsde6VVQ4kWOdPaDMX:6A8vhEjAQFeF5wZq+7+2zVhrE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 0.53 KB MD5: 16068311eb85a91172e63a53de652632
SHA1: 4d8a09ae0253352badc89323afc920d2316d0c9b
SHA256: 293f70ea94c26d6a62def7348d47646f426fe0655c69cc09be5abf4d2794e136
SSDeep: 12:74b96xgTSAqT9JaTRH60Hk3zbn7+VL1aCn:7XKTSAqT9JadHhk3nnk4Cn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms 28.28 KB MD5: 970f879a479710f0cb4bb06615cd7b6b
SHA1: 5b604e70886f30cdf1bc216755a6ff7159175806
SHA256: b07cf6a1280e99ff637436a949ef920dfad4760784558debd0317c4d02eadcca
SSDeep: 384:9vpXylX9AckjHrohgvi/c3TDH2JuleImFpwRitPnLENVIoB/Ucxq18qVHd85BJPF:VJiRkd6/EGElgwRitfLIVvBJE1A5BtP9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 0.81 KB MD5: 8441936d7dba2f9df923b378033f5d36
SHA1: b6b1206f491c8793b7e578a8be839631f267013a
SHA256: 8c76f04909409f3ea6ae40f2d49c2ac4cde65cabb2f8ffc82637dbd2badef989
SSDeep: 12:iZXYHTNmnb5E+hBx1EtCe4Xsdakc8V52V6RtsdQyTFBGhucTC6I9kCINYXnrNf:SuNcRgdaVw2V6R0/TbFiC6I9k+X5f 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.69 KB MD5: 82a3e7513bd267659cb67c95f22fd67a
SHA1: 0e192b669c2ed6e20abb075df3052ff75570ef8c
SHA256: e20941015e312acf856a1b0fe623daacaa68baccd3d310a42851f2c5376c2f7f
SSDeep: 12:WcHzTVDQhT8r+GWvK85KM2AIZSFXTrqqE0yslAyEteB4vN3OxKnpNW5wMSAS2Yf5:WcHzTNy8ijvK85j2EFXTulslX03mOD4W 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\10_All_Music.wpl 1.31 KB MD5: e2d545c006d2e5812563a9a3672da643
SHA1: 37334a7085a155c84cbc08037e089fe6ea433155
SHA256: 2a9064547c838ce63b71fe7ec4a9e1f055e7c34d38baf5673c16fcf03cd26343
SSDeep: 24:NoBmxlrsTXwsPzUiFoRBHZpnLA32yBYiABQLhX9fHw2XZ:NWmX4TXw0zUiEWhHphNPXZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms 28.28 KB MD5: 9c5a9a4f9608a01f2f1db08931638608
SHA1: 81cc60fb477c98aad9f313eef018fdf62291e072
SHA256: c097dcab15bcafa06fb7ace71cb9f11d40edcbaa5b442992331e6542bf479675
SSDeep: 768:A54mYPpd2aoXbiS3qP8ApyfYOqK651Ox7qc8fJBQ:A5gCaoriSaPCQ1C7q/fJBQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.99 KB MD5: 308d4c3882f2a2a96007c519e9424047
SHA1: 6088e0d60f2f93ac2ada21aa9670d17eb2a5c437
SHA256: c898bb14b13b2a583a77d1145d6758ecc39309e1dbeb86e5a2236e6b872cc180
SSDeep: 24:Lu69903b/Zhnygg+7nIu5+12sWwIkTwMl1EN9aOYskvQI:LfWZhJ7I6+12sWZMluNstnYI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MS Project\14\1033\Global.MPT 381.78 KB MD5: 08ad6135ed057d110d2f8a992081224c
SHA1: f32e07021d4841cb90d40f14bac5a19ca4d8386f
SHA256: ef09ae995519d09ef5e8edffc75b0a1e1fb35899df5768cab018fd68aa5f2c33
SSDeep: 6144:xcqLEOgwe6PJYCWg8ht09TWS6kvbY7L9R+fkmZKsOX6/FUjD0ZeCczDi/4kXGi40:xNfgF6PJYbg009at7JRsKsvmOeHzkXKO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\dqVq5Fo2c6ixXkrop.mkv 50.22 KB MD5: 40cb1ae5e89683fa935d8a82a54526f5
SHA1: 317b93e3ab4fb87922de6c521cb3b5c28dff259a
SHA256: c7ab19040b4629cfa1238d91f5287d81d80cf16a3e1e6dd94ff99336c80e1ae9
SSDeep: 1536:RELyLtTf58XFWlKkacTMm+e90izddrggFPLfUFT2M7fDN+i:RE+LMMl/afmUGdrggET9Z+i 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.74 KB MD5: b7803bef37c3552eb73e56caf2c0cb6e
SHA1: ee51f3dc328f8dc3c81ee0a224137304e9d68bdd
SHA256: 9953052c8da1a5fc29a4c45d9ea4ed3d538eff62f8757067beae2174a838c29c
SSDeep: 12:ajpR8+bY54uY/hrXq+c60jtw/QPIyuqQYBkW96mrpFIpwaAmLwvyC2BJ8U9U4tsg:ajpFbYyuYE6UtwoPIr9oDpFo1X8U9eg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.77 KB MD5: 9940e5897fea09c81a15eb69d41de20d
SHA1: 62f90965d9b2d96da10d31b503557137a8cdaebd
SHA256: 41106e1ea87adcaeb62c5806a49a0c18f378d4cabeda64dc6dca2ddf1d4cff5c
SSDeep: 768:n1GcaGuO6OzJZWyEpyYtbOXepUtr6zSyWUvhzvF6uUgdzh+r8go:1GfquBOuuZUjWUvhzvFYghYr8/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\wv4USO13cBuDtshUgva.rtf 44.81 KB MD5: 09ab1ffbf3c17775d10b087c10d07565
SHA1: bc806588070c48e46638ec0164fffe9c75f36bb6
SHA256: d8e485968be30b672589b6b8ebde7f1b6c42d4d6fe2332b002874b4e378ac43e
SSDeep: 768:hTh3VVNyT/dibSd+LOAHK60b3TT8YXnk+Q6i5tI3DU99eW3/:1VNelibSd+LRHKV0YXnkEi5tI3g9n3/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD 0.52 KB MD5: 4b509472e207d71779f16e6efdd2dbae
SHA1: 67900d22d1a3f0571fbc0522be23b277549fc2e3
SHA256: 9b29c511d1517b79c60c0094ba925da4b581c6960d5d298c822aa53d7b0cc6c4
SSDeep: 12:ztDZ68HkHL0NX483X7eMasjFJCEl/BXAG4OoXMlW+hKRn:ztggkHAu83XqlmFJCElyV/XCW2gn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.77 KB MD5: 28d740978d01dcd1721a2de335dc8023
SHA1: 46750ec40434c5f9f79e21147f4aba550dbb0e52
SHA256: 9b8c950076a04dad3c04916a075c158a2dae86dcc91b241cf960f2177be011f4
SSDeep: 12:j53v+jw0DM30qfVw0QJ77ehoGpPzS24BRbv5wjQtW4JcuB7CUpfJwtzhipZXIg:jVWa3DQ97eCGprS24PEQtWTIwt1iTt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF 0.39 KB MD5: 8b1654752b55fcebf7ebf11d5e47ce41
SHA1: 337f21c6640d76eed04e155a65db362b5dde2ad5
SHA256: 46e3c08f6e3d9f82da3c4d1086ad0b4d46842c8c4b5c6c246cbbaac46d580df5
SSDeep: 6:aVqwl/jt++goQizZMFm29OHa8hG2M49r+Qf8oQ+kbFClO4L3eP2OTLb4Havav4d/:2qKrMFo3zZMjO6Gx5fyIOx/bc4dBx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\qFIHGj3 akqmITBuEK.jpg 9.10 KB MD5: 7e215babbf723834bff2409536dda234
SHA1: b59c888076cb3143bbf33e482f09c0b69c2eb2f0
SHA256: bda4a88f9d3ae3036db3fe4a4e16358ff417ecabda6f1e55249e876d559bb5c2
SSDeep: 192:+x8P04NBb1IttgK+2RBRnGrTxhVslHtgfUfCGdQN:+xy0OBb1EkYR6tXslHP1yN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeCMapFnt10.lst 34.56 KB MD5: 934044b224ca275d27784a3dd5276633
SHA1: 279b49077b4ee8def1e00c806fc1af7835ba0942
SHA256: b9b4352365977bf8b20c787670da8a93fb5a4c780310fb13feb0ed99f7d8543b
SSDeep: 768:97+sNLRYifXdd0IPkaVS304XPic5UubuTfJNg/aib6:w2PfXUIv+XPicGjgE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.74 KB MD5: 954dfd9152edc49613d333cb7558bddd
SHA1: 15746fa0a39d491fbb954ef1d324f8dfcb02d066
SHA256: a8bd67643611b9c3b5bcb15547739008affb04dfd08dce9224abc257c2f56543
SSDeep: 12:dU9QlCwp13EyQsffV+jKfsQjMu0tWmHp/1q6RDtFnF2aP1OVDT:dU9QipsffVAKfsQjKtdn5FnkaP1OVDT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms 32.28 KB MD5: 910fd86115c003b312733d369350709b
SHA1: 5a8898814e40e715d5705a259480a2d1d48576e3
SHA256: 970e35ca8c0671c0f066461a474c9b8c4773fb14599308784978d11cdd2ecb56
SSDeep: 768:VDr4clhNq6Hx5NAxWY46V01O6iBeBZi914AyYluOs+PLg:VDrnhNJHx5NAdBe42AyYs7+M 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata 5.55 KB MD5: 3594f53807fa23399ad0b038d3fa0f9c
SHA1: 1eb6a459f73d14cc8198a72401a755a46e40bc0d
SHA256: 819f564bb2e8d7e1f221097ef2bdf692acfa4b3a612453dd709061b4a38a867c
SSDeep: 96:8lJCpjJDnpZiUxOOTS8AO6n8cNBWRMMDjZBALA5jmOr2ZgIbD:sJijZLxOOu18cWRMwTmxZgI/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest 11.83 KB MD5: f1b44b8189d0eea436ad8b5b88855f5e
SHA1: fabb7f4d18f75c3736bf302c5cd9a22a4c653dd8
SHA256: e21435781608973313bbbd40afa6ea0fd597052c23275c9ef14d93e70978908b
SSDeep: 192:GZmz7d+jWpSrTtT+fVgzxjilGNjWPfwTpxCjZI60hI5dmvS1lKAsXhzI8RmCj9nr:Lzx+jWpeT6VgJdWPfwSZIt2x1yXpt/z/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: 820791467ea20a89e262152d14da8301
SHA1: b6d3722e940a9149b9558220c538f4f1efbc7894
SHA256: f69f83f9d3f2d046810026a20fedd4acbabfffc085099626be3d164916b3bdd8
SSDeep: 24:K+eq0E2V0/aX+/jCxRJ2geWQSsS2C+ruwbrWe7tPdNZL2bL:KG0R0/aZRMgezSsSaCwbrZLNR2bL 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 0.78 KB MD5: 606b3e03342848de220e4d0b4295068a
SHA1: 4718de82ad36ee59fd82056e4f016d45ae00eb19
SHA256: b1bef855cf0e595e003f5bd7f4415bd4d795a6bec3ad371eafdea108bdc78a5f
SSDeep: 24:fNbQPMLRugbaEq9jh0Q2daU23k75Qfuij:i0LRuKaN9tR2daUX75Qfuij 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 0.66 KB MD5: 90d3ee4fa3a62a23c51847e00e848abc
SHA1: e7cfe687fde9c65c386f58d5fe30d9462b5c1cad
SHA256: fbb9bd7fecc0ace9e88d785a792c870db0a0be1b3425d6aa124f02e48c640db0
SSDeep: 12:g6ojlv1ZX829l4Fpj4YSL/61f+WrP+SskFiSWxCC0ql/hUeHzcoQZs:WZsA4PSwfBtskF/Wxr/9Z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\09_Music_played_the_most.wpl 1.28 KB MD5: e29b5fa902544aa42b174cc811f95ee0
SHA1: 0e69e75e62ad7eb898c279d2cb7baecdf556aed4
SHA256: b24f28afbf9781ccc733b0044f6e81ee4ec2bd51b67afbceaf21d5bce038979d
SSDeep: 24:AJVoMtqtrtWtdIjUS2EjdRCKTw71LZhViQKAOIxoAfoqARTGP96GDU+Ev:fM6tWnIjFBjdRxE71LLTKooAf9eGVtUl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 0.66 KB MD5: c39a76f556a63aa66dbc06028bfe5f7c
SHA1: af8936c5b37dde10fe93dd39b2fd20a80c8e8d1b
SHA256: b03c1b4150c488f89f3181795c34dff63e8d216456a3d5bf0b9c8fb0cbd7118b
SSDeep: 12:c2tUllG/nAO1rpYnFzpFYwI3ZoS1NXfft34ObrekKcmqmSX+J0wxJq:XUudzYFzvI3iGKchmQyi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.72 KB MD5: a0e33b67071911ea39384ec1731a26da
SHA1: f01d741dd6b258926d4dda8a5c09ed622e142755
SHA256: 18da88a3a414649ff9b8d992b2aceb6e8560666d4ab23c54dd6bc7daeb027e92
SSDeep: 12:thDZNo8DVKGJ3bfkUUmv6M08Td0WaHvKuL2MU7RUpp0Xa8jRwLSR6yEXWjDYx:tzDrlqX7yuItS0KAWLSEmni 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\-MYx8VJgITD8 Z52C0.mp3 7.36 KB MD5: 389a8527120bccc11979d1ff9390e930
SHA1: f20c0e447fe83fd583fe6129fa58d7d6c0b37388
SHA256: 5b13ee9f39101947f0db6d233875ffa31dca7e5b4aed78891b6a7bef9e643a88
SSDeep: 192:W1ZyKcnF1twgmm0Qs5yqQpMWL/36pifDFTcF/qvd:4ypF1qkf2y0WL/36ghsu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qLqbK-XfZLuP.png 59.41 KB MD5: bd49da624789733c50f940562465bbe8
SHA1: 7a270bf6cf754c1ef5f45df0342ad62431a7109f
SHA256: c83f4b30d645532236cc552da0b755071d57696e88d5a8be51e6c9984e3c8ae0
SSDeep: 1536:+iOCBMUyoIaPjyP5Ka0hBR/7WfoP9ST4EU4bgiHNKE:+iFA6yRKa0bGoVkXU8gCt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.manifest 1.63 KB MD5: 9c33c66348c79c3c99fbc47126664859
SHA1: 4079779ac75328758b2910301c4669e083c4d2b4
SHA256: 5780532de4467cbd2524cfb5895a2a4b427939cb1d29d7ec27b7c82dd8cce2bc
SSDeep: 48:pyKXOpTvVRUBLBeiyX+s5mXTp9wjPsswDNK/:p2pvoBL9yXkXN9wdog 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\94zgXZid8qg4.doc 16.55 KB MD5: bad02b4e15fa13de3b298bd5bd3d004b
SHA1: b9297c2dc178ab685125d0b06a9c703d2910a592
SHA256: 86b7b60fe4ded1b70ecf17d91a5ecbb27c3a875b5d2f1ce1088a18c793c520af
SSDeep: 384:Zmm1lJG9YjbQMyBH0Kj00lSzHygY5kS23IowNvzmqvUeEG6ofYMxc3m:ZmgilVBDkyr5kV4oWUijAb2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 2.00 KB MD5: 03d206d7436d447d177ada97119cb240
SHA1: 7b8eeca414390e7259909cbe2ea8eb919db8a642
SHA256: e89e654793e49bae533c876cde7d71e15484f1461bcff0f407415b289a828b7e
SSDeep: 48:c4d3HQ0g57H/+xHhm4W0Tj2UHIbnG0rfl2+dOLRBA/g1AG:c1n7f+xH84NtHIbG8l2MOLR1h 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 1.69 KB MD5: 210ceab36134f238da4ca566e4ff1f39
SHA1: 4a180a15780affe83fc86e63634695834746baa0
SHA256: 2f031712a57a623f45fa5369845026c35edd76b44e897a22e3d477b3922bf541
SSDeep: 48:Bj98svqOKWQkHrBJ/srJkqoF3rQCSH0u9/YVp7sDwL9:F98kiQj/srJz631SUuJDwJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 0.67 KB MD5: 2d5ea6ab905e4d66483e43e121af7102
SHA1: e2843f5d74ff1122230550bc78cbf886c9728100
SHA256: 7da34c400648f4ea4abe51f359bd47e6ddcc6fd869afe1f88631b0ebe66dd594
SSDeep: 12:6g9iTVrCHjtZ0fBEXfPj+zvE/mEHTJNo3QM9DPFCJ/vWpop4dIlVcbhxTA:6gQURZ0pOfaQ1CQ88J/vuo+d2VkhW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: a837e3a26308bea7829a56158c49f7e3
SHA1: f8f357bb0646e3cb6036d5a7bdfb067a63bf2dda
SHA256: 655ffce5f0d7752e87f9211022318f752d6aa3761e80bb5e661fc119b508a072
SSDeep: 48:rRhDFnHVsyt7AY7J7OMcgBgNarvogXj5oXSouB/QE:9hZptEW7OMaaYo/t 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.72 KB MD5: 72f5a952d9d0e34375a05b4e2ea90e2e
SHA1: 92ee6ebd57c47af6d6e2702d80844e4d9bee7a43
SHA256: b6f0469aaea70ec08eff448bda8a6d56000757f70155fe4918e9e052540b7604
SSDeep: 12:y4kGCEVBcooB6mRMEit4tu6nSdgY5o0Pr/mf4J5R/+h5TPrEhPKu+VXADgL5Y29E:rkP5B6mSrituoSD5o0PNo5LQhyu+VQDz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\9z4S7qYdpgF3-.flv 86.00 KB MD5: f79804e80d9b6a1bae496e4cedb0f453
SHA1: b53dc14595d6aa916507b0014d9c4501e313d595
SHA256: 37673cd81ead77c00de67780378f74667ffe3d61b464761598a6f5aeb0b93f49
SSDeep: 1536:ywThBXix8MtN8pQd9ta8lKxYk9qsKwGebVHnWXs9g24+ohyjju1u9WO1d8kjifVt:yb8pQhahyBsKwhbVHWYYraPd8kwDYm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\XsrHWz4c S2TtjJ8xdSO.bmp 24.56 KB MD5: fecc1bdf062553bfefad7159046deebd
SHA1: a8aec806c01528976670c0276ada1d8d33826c3b
SHA256: a5c094bab33b1f724d305ee317bc8316d7e78852e4bb5996bdb48586551080a8
SSDeep: 384:4lY0Pp3mq3WGywmWO5986CTnRsa7YsbYE7H52hY9ATiVTewh/lQm6:eY0xX7ywmWO5986kRsa7jbYEDh976m6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.72 KB MD5: 941260d985bd8786a8a80a047f825132
SHA1: 6bc0415a9eea366673ebf8b39a6517c0cfe20a44
SHA256: e3941c9761f55a825784d0532521d68e198ab697bd5e09fe4f9f1c3e6c676a87
SSDeep: 12:bXpZWBdLh5C2J3YmBLEzU55X6YkGJEhUjwE5CQbmQdU0eeeP5CYRpoG9/PyYkBgu:b6BdLh5J9E4bFkHsLbmt7LnmYMg0jv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\c0xKWXAnNWTFB3.swf 33.36 KB MD5: fbd60e23e01ca52b8de18db8b00839ee
SHA1: dbe1b0da821adb8e42eaaadab004be500b358844
SHA256: e36059369c35d74e37623154a2f9cb8a71658b0e0fcaaa1e799c0ef1ce18a913
SSDeep: 768:82fN4tEtOGpIgVkmZkTmtwdfYY7Qp0Bn1:FVN3pIgqmuTmaj7QpG1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.66 KB MD5: 327ed2217278478730b81a9d34745df3
SHA1: d30fec2a26adf0b8fd8c7d4a380c58a0f8d603d5
SHA256: a3fd2326d538614dc3911334b33d1489f7265c2e010ae24639f1a3d1299f6ee9
SSDeep: 12:edYoqkKiefove9heEEA2iUH7s1OENjcx8z3yC85C5xjnMnOpGwceH:aKiefoG+AHUY1OENjc2zU5CHMniH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD 128.28 KB MD5: 6766d06347ca8a8fd921fa3920bbb735
SHA1: 04add4ebc06cc103bd5f16f9b2c9eb0bc759f553
SHA256: 7374c95396f45c7817ed5479640cb70c91ffe83e3937b111163b7a984c787a95
SSDeep: 3072:PNooN9/ibTxiFTmc85FcW5NqwDKLuWSyX2t91WQFGhwu:+oCmTmvvcWPDDKCWQRGP 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Templates\Normal.dotm 20.42 KB MD5: 56e7720bde0ac5d539820c030973bd18
SHA1: 35aa337ea9003e6cd114dc05536a9cc9f00567bd
SHA256: 18e59f676b274cc31ac23db7d8f21a7b2a4bb9e98226164dc9b65d18f048fec9
SSDeep: 384:Z0ZXjhPbIHicQrh4OzcCEy7bewQDI4GWNYeJ20qRa0NAQUsUE6JhfBLNHbZugPJ2:uZXdIHbQrdzHEsbiDI4GWnqhNA+f6LHQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat 0.53 KB MD5: 956986b509e62473bfcc47229f2f4634
SHA1: 36a527826689bf3b43b9e6cffa58bfbbf617a11a
SHA256: 2c644ec1d65a59fc823b9675c6fb06cfcf7b6e937768bdc483fc5a1d2b8ad5a6
SSDeep: 12:MBEgMLjWvXjC3K4TCJNea/pKPvgBuMrqjmdYOfX5c44:SEBj0zy1Ts7gP+rvbyf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 10.00 MB MD5: bcbbe32c1143388e3298852e25179997
SHA1: f01443cbad61f42ba097e36331c34cbe6fdf166a
SHA256: 7dd2c030904cf6baab32f4cf8e20c13fc2513119183871e1454eb2ad3c723538
SSDeep: 196608:W5/N5IJLHEFB9PU/x52V7q7zEqaZswqLhQTcvlj9/z2H7DLKH8:W5/N5YEFBWZVEqaeqc3/iH3mH8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.66 KB MD5: ab4ecf048dd24a86aae6b8e065faeba7
SHA1: 9006440c4d83b8fe3a5dcea4bbbcc86b47cb1db2
SHA256: 9695a95c1cda8c40932350b9bf92400c5700bbe1b287a2ca6775bde54214244d
SSDeep: 12:iFpP9vyEioRVcp6eLxQHuqSZbZyXR7jhyWTKxqsot8A2oJRiTh9:wpPpy9orveLCHsSRnhmxXPURiF9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 1.69 KB MD5: 6b8cf34b4bb91d491e415f5554741558
SHA1: 78ae913ccf5c1723f8664fe21a91b277abc6a75c
SHA256: 062fee7cca59abb74870bc37e7dab57acc2070e40495a2df3bc811a316303867
SSDeep: 48:lbTl//Noq433fhuQFuNpZonJ+aTQOh088OuI2m:l35/ul3vhuwuNpKlgIR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT 240.49 KB MD5: d8781cf73867bb93b99141fd83fe17c5
SHA1: 962a7cfc43b7a852d43c005512297e79c62aadd4
SHA256: 1a306bbf4f0132e94de689aa1c6be8781b0073082c0251ccef6bb200d2e516a4
SSDeep: 6144:KickziWQPxq9u0MsfpDKwtR3ALDsGD1uV/KQlpd5:KickrOq/M8puwvQnlyd5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\MSO1033.acl 37.16 KB MD5: bdad0a478ddbd1cd546467c9b960c09b
SHA1: 110a8795c055cb53f878744ec123bc602cd81d9e
SHA256: f405ad7e8a9b4a2ff381e5796ec15565308292cb2c451571fc540337cf13c9d1
SSDeep: 768:BaSIrTpytmPFRMJ0cHeJMacb6pLbluhjX2x7TWAx9o:DyUcPFK7+JMaY6pLb6X2x7TWAI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 1.86 KB MD5: 3f9b9d6962e729c12ef668564a3aa693
SHA1: 3d85f4363aa50a5f7cb98b8855300113573e9ac9
SHA256: f1e7d3b257bf4fbfb872ef8c5f78c5433dedc2829b31f1be753caef036bc26d2
SSDeep: 48:U+GkppgLt1t6UwaizUG0nHWRcc2NtwJUnnG6l:D4tlwdoG9G6J2Gq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.67 KB MD5: 690518e54a8eecd27dcd83afb2c35197
SHA1: 1bb63d7c6766cb7a101dacab3f4940799fba95b7
SHA256: c184ae64636ba5270fdb217335ae1cfd0d63fa81c3a793f21a05d30e726ae7cc
SSDeep: 12:sTGUlIXqZ7CpG3I19PGpAqwIpt3C6eYKlPLmwBUWvcgk8joB:Z8IqQkILOpQ7rPLHBP1m 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.txt 12.21 KB MD5: 09bde89cd4398cdca810a3b83af4d84e
SHA1: 7a326832759a14b2452667c6ccf92a5ecf89d48e
SHA256: 630f773d28e64310b5b14c542c044b7c2be24aecdd1155c2082433c1391219c6
SSDeep: 192:xcyni6yzmjmLPazonQP7QoWHauVZ/xkUCm5feDuEFj0GcraKyVvkmFC9umpuRbhF:iynBKLPa+w7XunpTEF+TkQ8neLUT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.72 KB MD5: 77e9230f46ce46ac77b36a691e8f972a
SHA1: 155d7e2dc5dc80ac4b1fd19591897c6736b359b9
SHA256: 2e0d2390f382165452a0d88c81213b932de32d58089d089b59054f5600d373d5
SSDeep: 12:KDaVDUsUrhyCr8+pONGvH4HTXPiomaRRQQgNPVUAyWwwo0s6C9Y2oKhBjf2Bca+y:lMPpycH4HbqomaRRQVNtUmRs6CFrr7ru 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds Cache\index.dat 32.28 KB MD5: 019a18b0258f0fe6498834ff6d3c4324
SHA1: c037f4f14c91e2f28daf56eee5ff3a88198bd938
SHA256: 9ee2639915ccf9e5a8f2eb867f3603d5e67a2be40a561bae3b82d07e8df3d1e0
SSDeep: 768:BwmRNEFVEH01zkh7kWW9cjNqJUnjstqvhjxx/1jO5bcMA:BwmRuegzAjNqJIuq5bVqQH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\yKXb9QrtvXP_NF_krCM.png 57.58 KB MD5: 1855f8e0eef74f5b238d9f905541bd2e
SHA1: 60d05e9983b6c1b81c255e20a4f1685b54d5d5ae
SHA256: 9200e2828f9c325e775017f69d8910f38e9e605f138a33cc1b97b3c847010de5
SSDeep: 1536:ax6CW+jss/Jm4i4SbkfiVp0LodQXXWTRnv2p6:BCWeo40bdp08WWRM6 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\u4iYfG1p9dbIc_UDa.jpg 30.46 KB MD5: bbb3a0379a4449195a53c61e40968105
SHA1: 865ba6b2c978dd8db66fc1cbb26c4315d58ff662
SHA256: 68e95b23d7f7b41f54bab9af48d7e1abb47ea064b3e2c4ae9ffd1857b2f6c1e0
SSDeep: 768:3QZrvvSb8CpMsC5MNMV/uIzKKBCTPe/tqDnPirp:AZrS2sZMV2IztHOPirp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: 2c3db4b4a7fe5201f801f74135ba725f
SHA1: ba8ce08c86eb0e1dcea009518e29aaeca196891e
SHA256: 109b76793f8630b23c2f2b11c0762f754b696f8be97bb5716ca0dd31a7471c60
SSDeep: 24:mdOZGdOvyAVsAj7jVcn2HHSt/NJh41e8H587xhXonn:RZdvycscY+St/6YKYDXU 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 0.67 KB MD5: f10c03bce34af5cb2c7e627cec924c64
SHA1: c806736cc28e6e280598c25759e7a907a97de971
SHA256: 540800a2d16a5c23829b2203ec01cf237116fdfa92fd876bb1bd357a4c1eadc3
SSDeep: 12:YKumwtRQZ3xN3wkqGFdqwevEtDtttKjHrJLQVWXnssnplSZZCY60OcipaDBr:YKuRRc3RqGFdJXtupQVW3hplqCYdTv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 0.67 KB MD5: 381cc102df41e0ce286309e660aeb017
SHA1: 32972b1380908d01d48edb5a3e69efe4a91b0bbe
SHA256: a7718442b79be0f8eaddde69effe5b82d0e5e35fde6dc22593b9f78bd07730c4
SSDeep: 12:FkMEgAgiIAnNXcLvT/LmvlrU2AJA1GSxKD7INZXnqq0m9wp69odAisJm84M4:FkMEgAXIMgryv9Ux6VZZaq79wY9oqis0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 0.69 KB MD5: eabbf24d14a74476fc90ca5af04782fa
SHA1: 5a020c54c141f73130cb2c311b6a96afc7c126ec
SHA256: 7abb135834b68af8671bb5c4f938f34663b07b4211331a9b3c8765eef55405ea
SSDeep: 12:YDfPrs3AHd+WrHsstcyOW6L1Np9a4aPxkSF0Lw3FXKEUQ3yXgim4f3FA4GZY6:AfM6BostcyqXSF0M31UYXiIJX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 0.66 KB MD5: 52674fa8fcd40f11b338ed63db81b5f5
SHA1: 428af13fb146066ca08113c36a6fe8c18c0fa496
SHA256: 0f1039089f337a12ac8edf53987c9013b6f73a13de807cf9991986a7b5d1d2cf
SSDeep: 12:SWtxzhR5Qi8mmoJgReHMeC64P8dr32UOHUe52Xnl0N8IVZ4Tpt7uoIpQ5:h+s3Hp7J3qanA8gZ4T/z95 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 0.67 KB MD5: 78b23df4ced0e0b4dfd277ccaa3daf9e
SHA1: e86c57ac9011ebd6b5825c2e6f4388f7720b4388
SHA256: f0e56873d7c57c240db94bc8d29a4b37a9dbab0e9f5a1d0e3b46dd778e50e0cf
SSDeep: 12:cyve3b3UM4eNytV2Z0321RakMV0wmRzSWGXa+ZCRYc+S4Ult4rH+fH4AOVEWHE:c8+zgVDJkE0wmR2lXVlc+XifWFHE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\SharedDataEvents 5.28 KB MD5: 3b962a746a944131cd37f18d8aab33aa
SHA1: fdfb71932ecb031f41884502119ea46dd1d0aa81
SHA256: 436e65f810b7b7d9348201c11a5bc35dec087eaee71b5a4c6418398ba6e38c48
SSDeep: 96:KBvjiQ1UN41O2OsDxtdRctzIi77t0X/KSdKdvOGV+pR5elI056qt8Et5k2HyF+qS:KBvjiQ1U+MEutzIi7B0X/1d/tAh5628+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\tB06YZR06 MsHas.bmp 71.03 KB MD5: b44ea31174fdc02f8792e6a7efb33b4b
SHA1: 1a39147ce64be1f8187478e6fee0f83da5885ee1
SHA256: 25e1ad36ac670c2a3c874b226539dc92493dbb2421f6fda1d5266e41583417ce
SSDeep: 1536:BctCDtYW+JHQmTfr7eW2k/Ur8DZ3JexR2O9YPYtRToEuqdtEXMJxJHeaQR:W0DtQymTfWUUwZZO2YYPYt1uyoMzJHj0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\SYNCHIST 0.35 KB MD5: ba6aefb952412e9712291601e88e97bb
SHA1: 1c01797cc7f8ecd0da432612611096059c26dbd6
SHA256: 8a98d9f82d3f6010481e1ea6f1fb33634e31bc7e707e7fc2862d8975e1df4d86
SSDeep: 6:sBIHjHuIzTfshtGifR89SpJp9pG0PmO1j0kn+mIG8/H0bbG02zaDA:sajHD0trfMSPzo091jn+/l/UbiTec 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.72 KB MD5: 8a79c75c35ad1394d9d9ebd79e3dd97f
SHA1: 403f399e55bb080d7c8dae5297d65551a476bb07
SHA256: f9f3d8b738763c7c79034d42d75cc42caecd37a358387a488471729521238fbe
SSDeep: 12:SBXL9OPFQ/e/81HN70fZFI8AZBpGhdxwvvZBvgVHsyBtgGBzliI8jt1jE4v:SBXLUtQ/ZHNofZFWIxwvBe+yQGTiNjww 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\11_All_Pictures.wpl 0.85 KB MD5: 2e83f242f773b98efe178781b49a346d
SHA1: ab72385cfc5820111e20c329c7d9e6562366990e
SHA256: a3f1ea9c6c4f5d57167d112b170c3da22c04bdfc90863e7725cfd5e6ed9e705a
SSDeep: 24:/AvvZ/BEWYbhrwBpd8YW1frWITq21hsLLc1DXS:/gBB/rB77eb1CLLc1rS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\12_All_Video.wpl 1.33 KB MD5: 1bd84338471b2e91c04e8bba460d87ed
SHA1: f916bd28c7fca878cccd1a905d7d0e1f614c1d38
SHA256: 6ef3a26b5695c038758071c498288a2be7025b7b677650705d3089f36aceb51d
SSDeep: 24:ctUEXZ4EmpCpNEVhdKI+fwl5TOM9izZ9fgXtDIy41oha2VHUVnbj53Q/P:ctv4npCp+dKRfwlhOZYXtMyoowAUVnbS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\Cache\AcroFnt10.lst 52.22 KB MD5: 21db9492a891b47c4c9c56b754ad912b
SHA1: 10202658072bee31d120f8bbaac7f46a0be4829e
SHA256: 9b28919bd1b3419338503e60cf97886274e1aec59286499b6729f588efc56839
SSDeep: 1536:jljDkQkbT7u9xV+L5wfNqbd3SZanY6hRosHnk:9/kT265nd3SInYzsE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat 4.78 KB MD5: 76c71cb252c958a5ed6cab1c49d2c1e4
SHA1: 8edd6ed604489c09932925580e6e0a3fe9f31036
SHA256: 6dd5c48ec934d3934e0868d5ee8aac5fe1d0eda7befdb3a20bd0ee8fad2163b2
SSDeep: 96:rFFyH/ixLdh9VNd0OZfKxTls/x4shb728rkt9lIJH96PDjtX5sTgKBSI83:rXyH/wJVwsfKx5p4b78t9290DjsrSIO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\GogIJCxVgCUgBi89xsg.wav 5.75 KB MD5: c0410011b9089ea2a735bce17ba590fe
SHA1: 9f0a7617b6a6092daeb3d567727ab70e5bfa3658
SHA256: ff87103a51f7043e0cf27a092c1f26bdbc7d690435293a2107678eb25ba3096b
SSDeep: 96:/ZFciMX98F5jslwKWfKx8mQTUKERTk/70Y/W4hIWeBBMLpyhl6snd/eAqkc6+:/ZyiMX9HlwKWfkiYKVrSeockdmAqk9+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\fbbe72db-afd8-443b-88dd-64b20388700d 0.74 KB MD5: 3c32289b8814f9ea8cd360fe19732614
SHA1: 7b33e44be5a72dbc00a6ee8d575ce6668fb1d3f6
SHA256: bb0068ff194aba7c6c1c1c8b3995a997e92570fd782b957ceded303ad6872513
SSDeep: 12:GhYF/RM/AAhIX3Db2+bI3d65WH/Kz+ERbHrISPQfwGFRFnuq8BB4WUIPq1MA:GGk3IXzmsWSyUbLIqQIARduTBBvUIP8V 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ZCCXB59gEr7eihfz.png 26.28 KB MD5: fa48aea8011974076d6ab65af4c7688b
SHA1: 0afbaf020c5cf72e2d2a5528d353ca1c81e24c96
SHA256: a33332a840133fab975fd1dd630d5705e2d11a58f94a40b681f1d8a04d504a80
SSDeep: 768:/oKJ+JhZaPEl2ypF0b0NyjwQa/QTmIr4tIP5f4w:gKJ+JhSk2yH0b0Oba4aIr5Pf 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 1.85 KB MD5: 2e2e9fbb2778372a3151905ac94dfee6
SHA1: ce906b588fa5aa48d8b5311a7e725b0f9fb2c9d9
SHA256: c933e28b15cfb21db7836d634d8be63106fa9b097c37bad80b641cacfe658c72
SSDeep: 48:y3ulJNDe04ZKixmQPVGK7+uqtuq6YJC4ujGyvGdXdMys8jN7Dz:aulXe04SQPVGK7wu5Nj3UNh9jVz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D 0.60 KB MD5: b597f5a9d6dd4adc43d0f5e1f6316c19
SHA1: 8099493a07991c1379bb03238d2f1708364653e6
SHA256: d2b05948b843f0138c50154f1c97b3c0b6cd262b6eaa1f1c2ad7d50ca9ef904e
SSDeep: 12:MvnhMBFK9SyK5FbQlT2hLGwBue+sVMkdHK1Q4qOdo2dDCAj6Etl1E6Xw:inhqFEjHEhSuRtSkdH/2oqfj6Ez1Jg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms 14.46 KB MD5: a2e1996c69935f6ddf37e41705e701d4
SHA1: 48059030ae49be4889237f89fa2b20a62830a5fe
SHA256: e278cbaac70984531529da2a3373e53e92af65178076edb7348c7b6948cc99a9
SSDeep: 384:2++1PsAi1HJnk6aR0BLGkcfNkH231NmkHVkvaAci0Zc:2dkAvR0BLQfjlUCV2ka 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.36 KB MD5: fa1b526f677cefe2722f9e4a5035552f
SHA1: e4bbf09e838ed05b74e2b5a024551137c80ed455
SHA256: 1b0c6a3149896833081b5112531c43c160e5cd3fd7d368f7492156c4ecd34c50
SSDeep: 6:CtWZUCCnR96uCrw/6mXV+PrmlKYrJb1yAGDDhsrrOnWBAYDHHwOWl+3tzKYk4nqX:/UV6uDLX4eh1yFDDSJlnwOEiKlvmpcv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 0.66 KB MD5: 5b74dbb12b6df6cb318b208715b7adef
SHA1: f3913e3c4aed6449bbb0625abee0c2a029e985d5
SHA256: a51eef5e5402a3adcf213657e0fe328b8aa0c71a545f664209b7968adcc8f035
SSDeep: 12:t2yoRgyVUxKP5zzccJYfJfSQZu0nbG+liEaef0IJh/0JZ8RVc7BOdXUH:MSxADuhSQZu0ni+oVesIh/0JH7BNH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\UcUyVdA.gif 18.69 KB MD5: 0d9cf979caa1d2712010dcfb874e7cfa
SHA1: 89a7b458c6ea853586563f364fd5571b15d66e9d
SHA256: 2180181c32cb1ab267c06886d311de5c1df35747a4714ec0600dacdee37b0542
SSDeep: 384:OqU9f28R909n5Hbgjn5DGajc/S6Dqr/sLk8F05NJNjz1ELwzIt8ZP3uuL:OjV9YRbgjxGajGSRrkLk8yzJNdifg/L 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\12_All_Video.wpl 1.33 KB MD5: 46fcb682af1d1d0e5f243bad56503e35
SHA1: c3921e92c651796fa574ab38d603c43523242df3
SHA256: 8b06f9663a88750a256de29ae43860e57425910a5e21c2296c3378f85e48791b
SSDeep: 24:YKF98K3kVrHuie+vLVDUF4ukgbq8Wjdww3lIlqnbtga1m9K3TgOz:7FqbHuivLVYF4ukomwAISxga1CK3sOz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 0.66 KB MD5: 9ad2d9543259d6ea1aa6a37f089402e3
SHA1: 98f710a9e8b6c67c64a1f1594e9d1ff1e115ecbe
SHA256: f3b834b39a4e5fef140445cced691b368f976b4d9366540a5abc62697ec2c210
SSDeep: 12:rd1FHSM7hVckvRqgWaSd7nAw7MFpL+zNzsD1k+GoeEkfOc3rk/dCHs0oltE/YoTn:h1AbAqgWOwY+9sJ32EkfOqmfFOYC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\TO vJ.flv 74.28 KB MD5: 85d46e65e8f3fbc7494813c3e35ca29e
SHA1: 8138193daf68532d82272ce45ed0b88af23546d5
SHA256: d2f5cc026db55f814178dcb9c826b66312e3c086c53c706bf37234dafc5db3ec
SSDeep: 1536:e6T0ptovtTR6zvkS1zm7SwoTbZzqT1+JT9gCE17J64MCu5X:eZtoqzvjSSwoTbZzY1MhDE17YN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 2.00 KB MD5: 0fb624e85fe4f6cb887cede173e2eb25
SHA1: cfa2fe541071331b5852ec721c291594826c1ead
SHA256: 8dc4e913c34eac42aa895471ae4363d656f39e87da09f84029b937eb177bf7f8
SSDeep: 48:mZ4cITVcvpQiuBseyEvVM+qCwdxKSH6KibOOwXkF:a4cM+pQi8sXsVGLKSaK5GF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 2.00 KB MD5: 6180d235de84f7d4c2a3e4d5b4d0e9d9
SHA1: e9b91c70c5b480ea4a83b9d2e78f23de8df06546
SHA256: 430c2bdf9ecc49fe2eb416ac01ee352adaca9d8bdaf7ee7d887e0e6a017647d4
SSDeep: 48:1TiikfXoPmxIBkT7HdPO7cug35H/9Ut9txDYrSGfmv2mbfzd:1yXoMI+TbdPOZg35HVUPTAfs2ih 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\hhIWqSGhkJt.xlsx 40.02 KB MD5: 913548da1c8ebb6b87fc45d7da729ec6
SHA1: d0ec85dd465980cb72363a71c9067f862259873c
SHA256: 6e171ad701c72968c7b6ff455136b37a342d8a19c7ee676089de2ff5ac3dcd09
SSDeep: 768:BfkHUNFraf5mU3m+UcG3/SiFk1M0T4hEfah3/ybQ4PCmIv2yIw4kEU:JksFraxzHG3FK5MBAZPTIvfIw4kEU 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 0.75 KB MD5: ba5bd59643bb06e2c3b424550d082e2a
SHA1: ad66944614b44e9904779d88a0a84a4b6eb90e25
SHA256: be363cd99f6c2286f1319c80f97411ee30ac30f7353c46e0c47442e775616b19
SSDeep: 12:kljk2LYtwVMJAndiOvbgylELY+HQ/Wsn498DqJelsn1Xh9a0XB4ZAsuk8Xa:klj/gDJidiOvUyl4MDqJf33iAxzK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: 9c05b40f26bc8e7d08a67cbdc3525934
SHA1: 31570a181c5fc41a76f5b50daad26e54e52754a2
SHA256: 3f2d73a70e6ae6def9553a8eb7c5f5e41aba159d35b1ab11853e406cdf3226d6
SSDeep: 48:lwZ9I6TrIrlSfTZzBra0rntWvMnPAw0Wbxd/+:CZy2rMlwdfrPnzY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.66 KB MD5: b78d36a755da5f0553aa48df837727b2
SHA1: 70bb9dc9cff14bf0af8b187e12b19ba5f7d0e558
SHA256: b7339fc8eecf04566c952c0e44a49af06b22e34e7b140ff832a5e4ef96d9acb4
SSDeep: 12:XteTA8h89e5LJKWVHBSbfpmHX8DO69QUgfqlr7k3NXKTkZyZlSDF:kTAU89e54WVHQboXSZQRfok+r0R 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms 6.78 KB MD5: 53efb2d757903b89476276060c3315f9
SHA1: f22d390d6d1374efd443e4df61250c101bcf3046
SHA256: 681caf96508c1b9433e31bacc5ed08a79c961276f1548734f71c14ce3a846282
SSDeep: 192:XobCwP2uz8XjmzuoD92mht3RNtsfXSZcJ:XwP2uq8ugr5eCZG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\eKqZ.jpg 38.21 KB MD5: 64617976d8faf89fb79d98bdc5089434
SHA1: fc5b715f2eecb631329302f98b6c303e210ea74d
SHA256: ee499b213b5698bfd760bfd2222ec4e05cbca32b66b36043d14b7221ecf0998d
SSDeep: 768:0u+i1ikZ/rhzI+mBWE5DsT08IR2sU/b2ykviMKB3+9C4T2J9utECKQExhdvzWmO5:0pgikvzI+CIIKSykqMS3uvGlQEHdv8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D 0.78 KB MD5: 1d46689f2366cf5e344267c48a98a361
SHA1: 09540fc55cdcb65531dddc986e8cdd9fe5a36b5e
SHA256: def594d9ef69c4269ca8075cbbf002135e143409503e00496eb14412dfe240a3
SSDeep: 12:lfHKwH5VtOLQtj4Wwlgd33l5N5Ku8G2CnNQPjSgxjtJYXhy40gIuFer:lfNeQJBd3TfsjSgxjsPd9g 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD 1.06 KB MD5: 4292edcabf473e4fa8d6e678d69ad40f
SHA1: 6d6fce81d254db7550b9249b21b7554a7da54e87
SHA256: 69f8e7c65a948c7f11b35b0b398688b142d7cf9d1d3f8fb87699bc3ba247ab17
SSDeep: 24:AmqQ5MghaUwbx+MlfkORN/ucXdQJq2Kveud5TsHV5uobXl:AmJMgcL3lXRNmcXyJq2Kmud1snth 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat 32.28 KB MD5: 20fa926e2578851f43c2dd79e57673fe
SHA1: 4a8f5976d3232ba7a6eff42cb7471c20aade1cbf
SHA256: 8dfb7615e42b5586a32298bbfaea6875d783a6d097b2afd44a062d14cb440f13
SSDeep: 768:BE7gjE4d5/KLeiC0NQXwl/aSyX2NfLrpxOtXXdcC9uH:y7gY4dlseiCsQg8lyfLv0XRuH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 1.75 KB MD5: b18056cd70469ff0b6af47d26a900a39
SHA1: 282154b5337aabc7f5c9ac6c222a92024a46832d
SHA256: 1ba841837541eeeda953f7dbadfaf9126bf4ca29e5b9080a05417c7481bc088d
SSDeep: 48:XZhHOlgdXpDlcSw/cFxw6zMYvjHrG2bwgJrxrcNYk9/ehr:XmlgdXpaSH7wW5HrvDaZk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.72 KB MD5: 12bac8e6ad86aa34f6b87f8511d85154
SHA1: 282cbe57b46685299fad2dc105b61848ab6f4c1e
SHA256: 70022980cdb75bd5b77590e8826ad937dd43424a49664510c8d0c0187e0cd2fe
SSDeep: 12:LOuyDB/zHynd9X8UTfetksW/LExMLgU173U2mFX3hxjQRk9Xc0TIl7YnEx9f5A:eDBby1eWZLlLgU17hmFXs2VISnEdA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 1.75 KB MD5: c2ec904ef9d137927e7481befa8f3be1
SHA1: 263113bf5ff55a0397c88b9c3a258851f7bcc783
SHA256: 0f9abd0f75c2b753b1adf02da011ee09cdf9b6dc55fa325f67ac26db7872a92b
SSDeep: 24:rlhWg7v8fgA7L6EqGFOB5IM+GgUIc+WL8pDYw0NbCXwS1xymahsPOR5topYwFBT6:6uXzM4Oev+baw0JCXTCmqNvcHmKOQ7y 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\xu_PiqbthIOK9.mp4 3.71 KB MD5: 3e22b0248be4f43eb692905b8cf5900e
SHA1: 52dfdbeb7e1b72dbb3bd231b39b00c20fec0deb8
SHA256: 122982ab7af80efe32ccedd792bb5499052981c7e1d70feac5d2c0eb42cc62fd
SSDeep: 96:fm6vSuGTPQhTAVG2yjI4hsvaCtUT7kysDjr6KptrQW:fm6uEsWI0OtsCr6KrrQW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 0.53 KB MD5: 0036519dac805d047b6fef907a5d4da3
SHA1: dea871e23d02468b1aca46406df67de59c2294da
SHA256: ccd7f0a24d9e7186bdfafbb69b19c1636700fce384759d53bbcfcc4c7be59540
SSDeep: 12:1eN3klkdHsXleERfIi967bRjpwpDLntn87a408EW3ouIBA:hSdMXhGw67bRqJntH40FW3ouIBA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.66 KB MD5: dc01c208eff2924d45f6c60c5369be3c
SHA1: 3aa8836248c011d67614c0ba72f3771c7eee0124
SHA256: 6513d400e50e7637a642323b3f8612b330e599b51be07ab925faf1312089aa7b
SSDeep: 12:0nmP0kIbXCB78Dsh8eHPyydDwpSNWikZuhouii+bVSLMtkXjrf5edUXbt3UT:0naELCOQhTwgNWduhoD0HMdUh3UT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.67 KB MD5: 10b0adc2645fff0fde996456afeeedbc
SHA1: 0493c463591c86d6d19e73bb539583e8181ed74d
SHA256: 0a7697a6b08cfd5ff8ca7ea921ba435b1c01919876c24da553dfb41b828dc32a
SSDeep: 12:NlrywUt/jEc0SbbnFhD4eVu8lQU7HUGcygAlf8xKt5rsxdkHbYOeGCYKipN:/ODj1DbbnUEBlZcygMf8xKt5QxmPZRVN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 134f4d1a803f84642697d17734d46c7c
SHA1: bc50edc9d4cc2d401a3bc787daf053c0826f87b4
SHA256: 6fcb6046e77dd0d0545d5e472ac09481812bad19e031b511fad63a839cf38959
SSDeep: 24:OKW2pxr9Ip0FvKXN6WDAPe7HFGjdNbGqs76pIQttv9XTaw1wGJhVNkXohCD64CT/:OK/ypevK5DAtjd476moX2z8VNk2l4S/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\10_All_Music.wpl 1.31 KB MD5: 5bc7cb2a147d762beb1a4705d2f34ffe
SHA1: a428e7df273efa1c54453bb589cbe21f132a6f80
SHA256: e4479d4d86a7876b24b68d5818b9fe182c2a45fd8d3d241cea4f305b6bd4328d
SSDeep: 24:aZZaIYvFp++TQoQkEmA0dcBxZP8ZgpJ9/P6TiwqtCSiqkin65VAkCqoKzGmA50gn:aeFDQoQ8A0dcBfk6/xkiPCSiC641mGmW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\szt7y6kA cW.odt 39.69 KB MD5: f688c218df26a0ec23a910683abaf4ec
SHA1: 310fae515c75667167de0fca57cb646374b93a05
SHA256: 400f05dae301420e15849e5cef1abda654f80e632b3b0b09515feac57fe956da
SSDeep: 768:N3Vq3ru/GnT0U3HcfBNbuw+Y404cF6eXCmFxj9Be4AQjtWI4y4wu/gMjI:N3wC/i04QNbuHYMcF6eX1ve4FSyZtV 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: c8a937f15bf0532a3692a27bde205628
SHA1: fa8727ee9d28b5bae082f7fea6fc3a46321fd1b4
SHA256: 7bf9e457674ed12cb624532da5de7f0e4717111f4717896962451ec7643a658f
SSDeep: 24:ZoRlIgai9z/lQwMXsX7SKWSz474J/rV7hLkYE:ZoRlqi9z/lG8X7SjN4JjV1Li 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: 13ffd4cbdc9bbc5244dc5576cba1965b
SHA1: d40aa4d5fe47e435bb33f7954088183bc1d83503
SHA256: 141e4b14e9439e1d4c760cf41093e85a5df60a3421d1dd7bf59ccc37033abcd6
SSDeep: 24:q2/VBJb1+vjipX1Eibrh+z88yfDyqjktkMbql730t9pljpuOor7tSAUeg:qQJ4vjEjY88yfDlcBG0tzNpuOotSAw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: 3bdf0a3db4c033ca2283d42dc1e9b38a
SHA1: 2dd80c8506d1b616965861918a09bce352c77980
SHA256: df561940092d94e7258beb9a88e5ca963aadd25e804cadeebb2f4b38fe8ece0e
SSDeep: 6:sKyizgyA7buOi9n3FWs++CDnILxdzu6NiwdFsfriV/H/pchUk+bmaHh9utOcN:szqgfbZO3L++C7ILLzvFsC/HhuZ+bmac 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.72 KB MD5: 45399dfab1c8fe15ba18c76e213350b4
SHA1: b833ee9bc89c854cf41334628c355253c7b0f53d
SHA256: 3250cf94d1b22ffadba33a04866ea180b8ddcaec65aa12be92aee3d32197eb06
SSDeep: 12:qlWyeVHZ+uPicdKHLlTVRUQHn8gAMTx+Mz3lpWdmrRi9d1nNhENJxH/gsnk3:qlWyeV5+c9+ZTV3Hmy/1pRRWjhErxH/I 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: c82cf321dc2d260477bdb2942ff697be
SHA1: c7adac36157aee249234dbbd10d32f62bc76543a
SHA256: 9c14b8c9a34e856ec5d6957c7c0aab2a8e2a6a4b04a5d2d3be1d48494f682b53
SSDeep: 24:U9szmwEUbUOLNxX445Xge1woiplC0M7NKZnhR9TR/6dCqJeFcNVx:m/25NxoAwMwJplCh7sfzRwC8eF2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 0.66 KB MD5: 9640d515bec2e0b4c01eee90c1d8c196
SHA1: d15a852f041c91db6417b879090dfd4603471ae4
SHA256: 361cbbf198388b19c37f10d689b87965baff7c12faffb9b1945961bef04a69ab
SSDeep: 12:iRSDnmzVPl9X5ihHDCCWxGY/zpkG7eH5qeTpHxxjN5C3g:igCzVP3wj2/zd76PTpHfjN4w 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: 4e6344ed1ebd27d4e96acef96992dc48
SHA1: 58cf509a49c20fb120d35ef1c478e21fd0f03273
SHA256: 5da66f0fa39403cfe7af7158ae79fa387e1912337a81b9ecb9f5d8f35b87a41d
SSDeep: 24:6rcjycATs/NliDqcldiIWNiyNfRKfLQ2wgeDW1MfhJYA3l9KU0sx+RB5JLvfSh5:6rcjvos1liDqcldiIWd+vlCK2YAV9KUr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 2.00 KB MD5: fe0cb653222e72037f7568f44dabf977
SHA1: 1a2eed0fb477c416f0c07b854f093e4614950ed1
SHA256: 981d988bd81d1dfe970f246ae33c96332ad6ba85747c31f48662e1b74cbea330
SSDeep: 48:gVHRt4XrRD6kqRcqB1RoUQLVSFg0KyNFvglRe:WHgXrRD61tBT0Lw6vWvglRe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.67 KB MD5: e10a80ddbf9d28f6d54ba4be2b8f5534
SHA1: 6bf7fbcf8c8db3c74f97f82cdfbd09780673e8f2
SHA256: 320c43a0f952454c46ef790f8b91cc90ee5b4973a81dcae152333cbbebb91f59
SSDeep: 12:wlwxH5M/B6PNXhaTKoznm9uJaxWWU7cmiFgicJtNjR6VhtDmExk:UaGYNxaTKoznKuJa3U7cLFgvlafDmExk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.72 KB MD5: ed44d515eb4c05f5253e5be4e06c1108
SHA1: 7bbbe636a93048fea8a360821d5b56ecbe5b5d0d
SHA256: abd0ac09d8f5f6bdb903e65cd624dace99591594bb9a34bee061443767c1a880
SSDeep: 12:jqK9kTnnNtuWLs9BCEPWzXEDxNiFKTTRCuEKqD7hDSCBmacaoswY7jjf9QyCV9:nkTnjuWI9BiopCuqXPdosw6f9QyO9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat 3.78 KB MD5: 5c7fbc4b4eae11cad142008b96f49c03
SHA1: da32d03af127168e4705a99200a5f008ef18db0e
SHA256: a1b2ca984db8b7e7a40e971ddebdabcf8dd4c6353b1e5915458fe0217b017ac0
SSDeep: 96:NEdBuFQnnIL8FmTipJJk1Y0L/7L55XW908HzH:NEdAElFmTQn6zX8Hr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 0.66 KB MD5: 9479d182cc49e1fa7b630b19a0425c3a
SHA1: d256dde3fc9582da3ddc6891df12b8dd631ed13e
SHA256: e68bd8798c4f74cd24d8c4ab03615e7e9de35120df8132c20601157c33f36483
SSDeep: 12:Uvw2R0zY+1sqUdnFEEArP0HQDRQ4N5HhRtjoHMZ3Xpv3PswZ1Ld:4w20s+dUdnpArMwu4TBvoHMDvB1B 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.49 KB MD5: 94f4146bf3c76256054122bb71e35314
SHA1: 59785b8a7b27839c8adff417ed50df9df6f11b3f
SHA256: b0d7f5259286d20c048c9b98cf82652c0f6e2eabfef402cb56537fe39beed34a
SSDeep: 12:Ly01SkZhkGKRLiz2oYFReMwZyhDgpbsvMRjGHn:L9kGKW6PKZGDge0RjAn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Ec-D37adA- wErBEhN.swf 31.36 KB MD5: 795dce77f2f61f1b68616c71e0592845
SHA1: 0f6d80b43a0e818c87130b653beb5044da6ca29d
SHA256: bcd9d66554c7db8a7044aa7a05a4f84c7d063946bf965ea91640d3379f2338c1
SSDeep: 768:wv30CG4FgGe46fk/hZGXsQfOqqiK2wUP+4sftGQ+CdBcf:wLjepGZWfDqiK3UPLpQhzW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\WsIx Q8E zk.png 27.80 KB MD5: e5b57e4e31749250e90007f9573dc299
SHA1: 7542acd9e754db024fdc19f24d9999a16cad3fe3
SHA256: 48760121cefc3a23fd82bd4c9d0c6f9dea6bba485cc0d55c61dfff0d0a6d3746
SSDeep: 768:6SIcybbjwpLEGoLMob4dDPqTnGCYQh1IntWSmkcevJ:6pVbMLEEocdDPin2M1In8Smkd 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.72 KB MD5: 58777c981b1c41eec4e1eaf6a0b9e5ca
SHA1: 87b0da9d0fdba350d1aab3e0df88a26e68ce864e
SHA256: 811602e6c48765325e49e353539776c6631eceb20ebb076fed5bbd37c79883b9
SSDeep: 12:3KHZEaSG4AkiFVecyaKV10CgAckzW2olqaqr3lwFbE9yYz1PPCqgb/5Nmm+83NF:65Ea5hkSecNhCWkzWPwxpyYJy35Nm78H 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.74 KB MD5: 45d0a4f25171ea1bca2f2334b2aa34f7
SHA1: cf0ecccb7182108e84017ff5e45b766c5f6cc610
SHA256: 594e841e80e641671f7a83421678d37cbea6c850728e72557892090d1224e9bc
SSDeep: 12:s8mQlrWFk8BLgxoQvnM54FKchkWqmvv0GAdQLuRLRHPjOB2qb3CWQPipPpUHSlQp:iQlCWvLvn1wOH0GA+Qy33CWnpPpnQfx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\q5WdW.gif 77.69 KB MD5: 2f3ea08255f0976666d8e7556bfc155a
SHA1: 871b926ee6cbcc658f6050090ecf707eef2184ae
SHA256: 5f11dc8560967b05b25b49df51bc4a12782fef8588e9d04e5ecd0e96f0f4c96c
SSDeep: 1536:7yFvrbsI55S6l/GLV57OVa7rcKrlBhQGVKJR0T3JB5RdZOi9wQm5cdYB68M:7y+Q5Pl/0VFOM7rjbhQaqR8BjzOiOQTp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\1z27F3.docx 89.97 KB MD5: 25036d46c12b6f90990e063566d56ba2
SHA1: 410fce001a8e98eacc5e2a1a25535817b9c70f9f
SHA256: f9a5e9d63b372d2c583bb86436c4596f12436887a215f1a28514511395aa7c54
SSDeep: 1536:W0WOltXYYGF97lTki01tzzcrvelGL5LB9kk8JaF+i9KvdfJlYl5EXEBuiub7AihE:W4wYGF9pAseGXbViV7YlsA/Y1du 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 1.91 KB MD5: 22d5453d944c041a19c880e1220140ba
SHA1: 472d477f16832fb68d47c72d762befa8de8be94a
SHA256: 072f35fc195a371d922662cc2b3ef25904f27618a70cc831b45e956b5124f40b
SSDeep: 48:BQhb1g+8RVqog5OACrY/+uoV5xM9UfdSNYTrT:B4b1P8Cwr2+uoV5m9QSGTrT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 2.00 KB MD5: d092c502d99c91e98594744ce7420c9f
SHA1: b1e1d5e9c6dee8d20a81c1357bc1c4fe137db311
SHA256: f6d0512d4011a535538875713bba60e88ea6fc8278d6696f5012838390cae895
SSDeep: 48:hxp5Ck8d5f1g/26S4SToyMIbMoJh2WA+jQ:3XCkIS/nS7syfpJh2CU 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 1.10 KB MD5: 73e255872e36d1fdbc0b1c3f146d0e68
SHA1: 184d1f20c3003d6af58d61a4cde4246a3d4b4855
SHA256: c7e2cfe38ef3472f5afd2edaae41bc7f02649a7de8c177adb23f8cd8204651d8
SSDeep: 24:cUJY5kZDtXVi2tEmdFTozru1h4tVc6NGQ7jBSxYeXBPdi:cU5ViShGAh4tvTDeR8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 1.69 KB MD5: ddab3454892a66a913620f0be93a5b69
SHA1: 63f26a09f52d39604622bcd8391ee07ca6fa157c
SHA256: 52d6e587730d6ace1fa5b80a6c39664b56d25c3dc68ed4255a8a2e6a4ba99197
SSDeep: 48:quwyH9adtfrJoTfMymC28E8RB/yAWaefGpHS:quDEfrqTfMymt8E8j/3owS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.bak 12.19 KB MD5: 21d05f19cd01000b9c4cd9d5fdbbe08e
SHA1: de3ef082c2b27e6889780b909855002283027c5b
SHA256: 10f856a108ad56a9cb193279e5e90aa7bfe28c28679fcba088def5db03a324b0
SSDeep: 384:+d1vTmH3lWSbSOGNp0fUk13R3o7W119RQp5Gy:+d1yH1Sp0U2h/vfy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\eebY.gif 11.16 KB MD5: 34b8b1babeb960cb9061ca474e0c77b0
SHA1: 1aae4c6129e1de18d1a8928005b73af361caea65
SHA256: 0aa9386b123e50cd1b419028a12de5adac9c98dd15ca5ed00332b988d674fe61
SSDeep: 192:33tf9D/oEW4DVlzxV0RhTz6YuYOswWAT7+zxl3uv71E1MeSK8JuHLDkR5wTuMhx8:33JLDVZx2/+tYOVWA2l3ME1M68JyDkRT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: 7bc944c3e8d173fd68088448e14138d7
SHA1: 51ec08346d4fcb8464b81a0a764734e6987e9ac6
SHA256: 8b0dbd9caa616f08dda898da7dfacc61f585f90e7abc408016a49e3283bd7ef8
SSDeep: 24:Orv32hanPec7oJH4/iiyMWD5ZEnuFxDGEmkK5OP034vsTt8XaMdm6:OrHGcsJCipMK5ZEuFxSEDK5G0YsepN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\ACECache11.lst 1.42 KB MD5: 4261eb010e7c76e2921e244e4d4f0c63
SHA1: b07d1283ca8be3205568b8c1aa149945aa993651
SHA256: 1c3d041f7164ce6d67e5449c3529a14057ddacbb54caed8d7adf5f17097b457f
SSDeep: 24:nnB+UTfLG7rFKSnngXL65gQkxfRRP5OrlitBz13Dt0DhIQs3C5l/J6W4/Z:nnIUCrFKSg2aFxJRPbHrV3a4R 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.sig 0.41 KB MD5: 5f85ffa77549c083c9d6e8be5c8e77fb
SHA1: 57bd804d3b9f26de274fd628b705dc831713e08c
SHA256: bf29cd085b725e67b72d4277ac1f23d57ac3d966946d6de597d1c028405916db
SSDeep: 6:LOV1z7h+h6lKv5ngIjf+CBUVyfGOMbAFFzNaG9iknDlgNRNm5lm5970lUOoEX39o:LQ1z7h+hcEfXBOOFFSEiA5CLE+KXoM0V 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 4.05 KB MD5: cc0f15721153db7d571b5d266c0fda21
SHA1: e5ca77ab3047865eded8c060808bc329b5c2bf87
SHA256: 08be4f1300b610751d527b9bff7f196c3ea93366e0d707967b06d6ba2b0be0fe
SSDeep: 96:izkEq86JFs/v0KUSG+SehhjK8akqtjv6273LnNHPEg6iG:ykD8RMSthhGHZpTLNHcg1G 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\Recent\index.dat 0.33 KB MD5: e154bd3f17988c2e42b70b61c80965f6
SHA1: 515d4b8305846c36d647a83946062a08bf0926e4
SHA256: 5ddd64f5b618704bd83485641f2edef7e9cb260c0e099c506acc6ced5a4ef50d
SSDeep: 6:ybIEuYCu4CWvzxJ6k81v/NaYqzs3I1RWWXaNxOjdYBRlkH4:ykYYRLxJYv/Nd4WWphYBMH4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\uGDz.doc 2.36 KB MD5: 566876a315f42bfd239881e4490b872b
SHA1: 2b774c50c4466af5696dfa0b22316d95e201bbde
SHA256: 335ce5c365949fa74a406e43ec5ce3923836f310abb8976c4396df5032ba9d3f
SSDeep: 48:ZpLTPU/GKVoBdkOsuKfXi0zr8myUmfflY/dsAS7EKminKeOt+vrcv:Zpf8OKVckOevzt3gv71miZG+vrcv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\V7N_He.swf 14.46 KB MD5: be796bd4daaba400fa1bb529ec098ac7
SHA1: 45fe850d6a7398ff4c81610d311b264ecc6d8bfb
SHA256: 6fcdf8516301b991f31b17b62b350ae911f071c239993dafbb988b24bc7c6d1f
SSDeep: 384:wBNqobb0yFUlYMIN0wq8ctd8GhdeI7FhHCa:wfqobbclYreheOd7PCa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 2.00 KB MD5: f3e523c6292091e56365028eabed6dab
SHA1: 98ac2652744449d55516c83ce1daa013324e01d3
SHA256: 938aecbd38e555cb044250343de7b6327e51c69fe3556e97d18c54c3ccc4863a
SSDeep: 48:pQP8t2lsSQtF8kU+7/zY0wcHV06vBc4zr+7xESxP:A8toE8Q7YQzcs+7xE2P 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: baebc87dd59446da25e3f21d08baa899
SHA1: e1609700db2d06322318f86645a1b5d62c69342a
SHA256: 10ef308a4fad800b366fc8868c5eb1f7fb6a6cda57b013d544064f6d14247785
SSDeep: 768:WLZu/PK4K2Wz9/4AN+o/EjxNcRd5SYgEUG2UTcOEkAF:WNunK4kzeAN+o/EjzcRdEYqSdEkAF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.67 KB MD5: 3d7d75934f01bc92ee3d25f49a92c525
SHA1: b548fd542868ec39d6414443b20166e5f614a23c
SHA256: b0849a578b76d31fa120e24b54e0e17acd6ab54e554ae7762a60228c56360a0d
SSDeep: 12:/41sTpZhVm4+IECty9M/tRgqeFzeE4Vc22wT/LXADS8kuIz9xZ0v0nnDiN:/41snECty9y+qyiE4bXTjXAO8dIxIsne 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\sG AI5nveJFDU.mp4 78.67 KB MD5: 82a011669b037b76ffa8584cffbd8266
SHA1: 6cc31dc93874069d350b6ac02938442857aac7c3
SHA256: e0c7418590c9b92235c7e232012e503b0252da732d84711f74bae08ff097df3c
SSDeep: 1536:zfUmqT7+otgXusq/OWsVw9GegOkNXU5hD1C6y1267EaHw0PgMlI:TUma/mWsO9GX5NXU57iGOw0Fy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\aIiHpI5fpVW.doc 79.05 KB MD5: 937b43120ff41bb22a087921834a98c3
SHA1: 69bd752d97ba076af21e1dbeec35a102bbef326b
SHA256: cdc4622d7835a4b87ad52a59d8d65e439718d6347d94ebddd2968f8260178849
SSDeep: 1536:ekNf+aYOxR8JmhSl4lZ6ORidaTwself6Dq/fJ/nvbOVZaGsjKtAvE5:zNmaYMR80mIAdlsDsfJvvCVvsjK6E5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.74 KB MD5: 234c2935deb64010b6fc361a27ea8dfd
SHA1: 54361121b64344947fe6e8b8b0aef114f6a4959e
SHA256: f84843ab81da2d313a54014c08709d37fc037d943e1678579ee4e608d4c2691f
SSDeep: 12:t2KbPao32kZ1xBIsd+4R2+9i7+E7GDWmctf/QJCnLII3ADWbzR0E8OOIY63FYkU:oKzJ32kZ1PD4+E0+f/wWsI3ZzenEFY9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.66 KB MD5: a4b03fa7de669879b9b9d3baa72c4c6f
SHA1: 9fdfed136ca3a6c6ab04b0f297f2b9cd0dd7a796
SHA256: fd88f9a747e0667201c4c35d5fdafe5f3d38a7de9848c1e172f076b62af3b419
SSDeep: 12:BHNRJxBiq608jQfjA0SzBNE1TX50i3xxYOrbfrhu9A/BKjd9:jRJxBiNQfjQkTpHxxDb4SZA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 1.66 KB MD5: 7147690f9da8106a1336003015ea8bf0
SHA1: 9a53aed6e80aeddd07bd10e10f8b6dab37ffb144
SHA256: 727303d3c82c7f902553cc2bc83ad9a74078895b1ad71a52deae94d63af6c7f4
SSDeep: 48:YLekNg1P1e0dT9CmHri921WZ/CsJ4NTwjjRE0:YKk+77R9CmLs21A/CqE0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.cdf-ms 4.00 KB MD5: 94e68e71c55255230c6d783479b1e316
SHA1: f7e7fa1c4742c7d1688b3a4897772b3aaa421705
SHA256: 93f8087ca373e541f76e40521d11f08bb18c90ae7b71102d8ffa30454c0419f8
SSDeep: 96:pCqfeXsY53V6tr7X4EN6tc9uKYW10GOJ93MghBq0L:sjXR5VG7oIrgC0GOJ9/hM0L 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 0.81 KB MD5: 6c8a30c271e51be6852ad64452cc541a
SHA1: 411c20df2a06e8a34c46a8a32038190443f9d3bf
SHA256: f53c48057b4a12feb0ba489ea8a47992c9b2ab1042ef4a774ccadb4846657df8
SSDeep: 24:Vur0aFerTLY4FR9V/J5eHSrGD5vQxpcf1RFmGoiHLougy:Vur2LYWR/yBD+PcdRFmXengy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9 0.74 KB MD5: edea0168c35a3bcfc57859395a6e7aa9
SHA1: c9cd666ef2e6cb4d8623b78d4d74cd08d1aa3a8b
SHA256: 3b3c9ed1b2d7e6f76bbeb5737922ce60900fcc49136e3b09ed18e9b76555eaf7
SSDeep: 12:0ZTl1rFmnkwroO+nceYxThp7MSVcbeTi3+7gWmfpepvOP+MRbob5CgeLI:OTnOProBYxThySVcbcAcGfpCZEpgt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 0.67 KB MD5: 26cbd2c9406c840d9c88157902365b42
SHA1: 09a5fa64f09691903b0d78fd07e74da029e6881a
SHA256: 825b7bcaeae9cc18772d5852d20624bbc72c45865e8ddeee2f334200512708bb
SSDeep: 12:0Jj5JFrIZzVuH2KCeRd11CYFFgDFuTeCcQ+jDChs5fXbw0a4:0fAzVs2KCed1ZFdTeP5Ss5fXbwI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\W8IhnLWmu7yCBSxhyy.bmp 42.47 KB MD5: ac6499ef04cc83f28fc01f88d26503be
SHA1: e6cadff6c2d2674ed05444d52f5aad44ef727159
SHA256: 5fb3625038aaa279a49fe0ed46c09be167ddbb5bfcdf28f046e9af1306e227ae
SSDeep: 768:3hdvErenBCK6KResQEFqqkbq91xMha44sm+boMoxhMzXQGRii8//XIU6/5jmBLrx:3hdv7CCedgkLFm2oMLRNKHuCDF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 1.85 KB MD5: 203eb61b2858c3a4bfc55905d9f316e9
SHA1: 60c166d74c7a8b456965b2863bd8182d12428609
SHA256: 8e755a91a9602660ab1ccf2ba057bb35048fec2a47058eb06f417af9b96f731a
SSDeep: 48:ZmN2cYdf/xe9tgzDTHvCQSdK9zyDG4OmUJ6yk:Z+nYdf0ngzCv2ZlmLyk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl 1.19 KB MD5: e96bcc0f3fe922f74db94faa76ae8931
SHA1: 6c23d35b40ff993e2d523b0d979cf852fa2fec89
SHA256: ffac9f07256d830cb336ccb93f654cc3f84e8d9e952e8350b6a6fdd9fb100a7e
SSDeep: 24:RMY3FdElI1rdmiMLYVwXlcEXmW2MJFL94XAfRmPTie0ibvyKB:RfdEeytj2E2W2SiwfkaupB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\KZgj.mkv 90.42 KB MD5: 948915b52c3f8ad19f1eecd3014342e9
SHA1: 9fbb8ab80a5791b18c860a42f48050e88956eebf
SHA256: 96cf65862641080a00bdd4212c6bbf517ad2cc180c79c27d8ac7ec77ec78fd9e
SSDeep: 1536:nUURRnQzkBcBqsU2CTYTApREKqkqiVGznFPnbmWG8oR5nFJRcqg37wYSSq:U8RQz3ibKewJPb7+rnFPgLzq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\um2hqG2SEILUGfXl.wav 88.77 KB MD5: fd1583e78a5418fcbd38beed7932eb09
SHA1: de9f11ef2b6ceb3544c5f938309c3b27f3a46eba
SHA256: c6e657c773daa6a47d6118edf54e2a9a5c6488868464a1aa24c11f2485a04060
SSDeep: 1536:P3v30H5i3Oi7TBeR2c/WsI+S+iFbLatMt+EZjKbAdAri7CxYr+86uRFFjkDA4Tr:X3xOMsB/BIiWOt0mcdGi7CxYrrk84n 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb 1.02 MB MD5: 4a502ff4b0aef03574e6e9dd2f91ab9e
SHA1: 4d2fe11672f6b0a478e75e05f10568fab2fc04bd
SHA256: 91decb068a683823caf2aeee49aa0e28742dd0037c21fa936f9aa2f1f7cd90a4
SSDeep: 24576:/V/XNHDyefmw9QEYeYXRz6myf7miWd4hW8Tr:/V/kewEVCz65v1Wm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 0.74 KB MD5: 6d4539bd1988c3aa6d3c0987f962a762
SHA1: 1da770a42d22005ac867bedd037a168518e42404
SHA256: 38300a0536a01dc04939c2ae1d9eb908fd58365eb85dc381868d2559c12684d9
SSDeep: 12:C5TWC37cLCIjnN3p09tmLE3+QeP5/tOWPJC52vfICXmh9lcPfeiSnHCHyAnLatFg:C5TWCIdN3p09tmLE3+55/t5o2vfICXmM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\pr_O7Iaj7r.bmp 67.03 KB MD5: 981d6e6608aaea5072da5b5fd6402b59
SHA1: 4b12588bf7a6254e034c0df90aa6286f09e971e6
SHA256: 1b8234994e7386064dfc96fdf63eec20f20ee77cf55ee685f9bee745abd3879c
SSDeep: 1536:bvvJDDA/Og53tUl+MCfhqv5P8QOkdGXvXD1IHw94H6a:bvxDDA/OSWwMCpg5P8QVGXvXpsEA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\11_All_Pictures.wpl 0.85 KB MD5: 4d3413c13a10d787aca04b598cec2d56
SHA1: 143b5bff262ad5812bb82030736454ba357d3eda
SHA256: 1fff0fa01dd18d9230f96e58ade929812b22f1bb33889d1fb41e653ae990c057
SSDeep: 12:+LdfScbYTcQMhcq9z5cmf2Ru7YQCW+f0j6oEfUsn0i4JFT46LWVwhIEBLQY+v03N:+hSBc5Tcmf289YfH0i4JWmhI6LQYE0tN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\content14.dat 99.50 KB MD5: 0f01b5fe44a50d2ff662cd212af9fe23
SHA1: 5d197ac5f1eeb24c9cadd28f73576dabbb6ee9eb
SHA256: e08c1dcbbf8fcf830e1a614ef04ba4f696ede684a635a82255bbaea15f66484e
SSDeep: 1536:eiPBGHQdgEWwVGOrqbOdMcQE23HqhZz4ibhj2sf8H7SRjZbQ41X9YkBYqnvVB/hR:eiPBxg4qbOcYz5Bb9bt1bJn/BViE3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\qGTQ4a XrRJJO.swf 90.02 KB MD5: 71f93fa7df680cc01fe417df4a5057d2
SHA1: f5e6814e637b546761e9ae7255e1747aba95d880
SHA256: 27019a2a5631e669bdb81a26097d5566721d58d77f3637507f3f4e958eb654cf
SSDeep: 1536:/sUnlFVLkr7M3pDywgzzHdNQipg9GbK8MbN8FespQf+leqe2LOKdR2eVb:W7cwnQo4GbtkNxvqhCA5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 0.69 KB MD5: 3450651b9d33eabdb0ca24470304d722
SHA1: 3ada772811536943724df1076f69927a2a6f720a
SHA256: b578b79f4877e8d7c317ab6907f1f195df184577847feb925ae5d3eb74680f85
SSDeep: 12:Y6BEBKUIVf9VrnHT1wh89eYHNugEgeHS528s/cHUWk23p37xSgF4TbTJHikQioVu:rEBKUIVffKkTtfAS5xHC23TFF2tHikeE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\4xS22J.doc 32.60 KB MD5: 55b6671dfa7c562759b41521e327053d
SHA1: de4b2102ccb310e41aac5d32928aa150143efbc4
SHA256: 0c267371e6399df2efa4bec6f9a7cd30e1fe971fa11722c54b3b43d5326b9766
SSDeep: 768:LgdX//OU0TnddR/c/ulF37AB65KPlE8dvlRZr3+fooTIbQB+PaeSYAg:0MlddR/c/OlArv1ruaQBHTLg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\IconCache.db 1.15 MB MD5: 9f933474f16a144b1567891fe38e73e2
SHA1: d159ad24cbe539ca220eb8e9de074a979db23e08
SHA256: 1957a416a853cc4e286e9ccbcdb0e7bcb0d82db296dd362bf95c8378218308e2
SSDeep: 24576:QnqcJcY+PiSSlH5M4GadmWEq7rIHCXUAnMYgFZ22r:HcJcEH7Ldm+mCXUBpr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.66 KB MD5: 880b22ac7137c30b46e27742e9c5904d
SHA1: 8d0e52b7fe5b8e026c9111f631ee0d60955f3cb7
SHA256: 368fbe3063b2058b68f5a36f4cc44c26ef6ea93029349803925447e75597bf1a
SSDeep: 12:dzKTFG45i7Lt4DnAofwJdOAZLIc/Xlcrgq2AyXjPxFZuw:wTFG/4DndwyAZ8GXlighLtuw 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\cyl6MabE2leS dAj.pdf 56.03 KB MD5: 1519269a8dd25f2db1a5124c614048dd
SHA1: 8d7654557a9bbef527064802996f4ece0ac0bbbb
SHA256: 528a806ee62d91d501963244b5fe1149a4866928f425f68c1fe2662a6f248c54
SSDeep: 1536:XV8rval/52F9qUPx1+yGLQG+LGGIknU6T+KIGJE:XV822F9qUp14r+LGGD1T+EE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms 28.28 KB MD5: c3b3c92a6105af2a994c3cc6881a448d
SHA1: a292526d0177b5f34ade7079702ccb316e7fcb9c
SHA256: 0f1e68512e3f0c9bd18e72c5ac197effd0aae24081fea30023af7e5ee24db4b9
SSDeep: 768:Z7KKeKrSCYif8Zrvquc9nCTQKgJpGspY9Upx8My:Z7CKzTf8ZrvquczZJNY9Uxy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 1.85 KB MD5: 3567dec90b586d537d46857547f67f9c
SHA1: 45f5b9b896df3df6b9901045e8126ac536936037
SHA256: d00388369ea438462c3e39225d6cd176f5688eeddacd59450e9f42a5f4a7c679
SSDeep: 48:NjeXxhyjEZ4y+jq6ROBrOz1pjkYQLqTkbjJ:IXUby+mgrj5QLqTi 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp 10.00 MB MD5: eb638fc02b208a5aec053ad6d09a9ccf
SHA1: 43f57f2f2751487520c90dc06b03135ccd26103d
SHA256: 3c05bf6c129be38315f78afb477556bfb07bcee605211a38fff3b89b67b4be60
SSDeep: 196608:Tz09tqkcxev0+Qo4iT6YqQitS7+KgxUzGVw9vV+Ud5CP46ZjNK:MYxevAxdBISxUzGVw7+YMggK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 1.63 KB MD5: b4618ce993c0dccfa5535bfedec208a5
SHA1: 8c9acdb0ca508389f56426fc77b744778a5d2822
SHA256: 11b4a452d84a157389fe96ba7f13d68e407ea3ed5cbff59bc55c485d1090a6fe
SSDeep: 48:zdr7xu7PnGwMRqoI11Zl2SULIQnROdabC79lskv27:Z7crGZGZl24QnQw27od7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 1.88 KB MD5: ac388a783b9e8fcbd652eee3a8ac909f
SHA1: 94775033db7cf605c28dd5b40f94be9b012c81a5
SHA256: 845dea355c5bc67d039369061da77f33455f22536df4158aeb878fda0bdfc6e0
SSDeep: 48:EjXzxP09gewSBO0xDS6AEe5CDoWM2ckY/I79Jn03mC:yzx8aXoDzAEeMk/R/Iv03mC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D 0.49 KB MD5: ebc18eff2016936fcbba361af5fc2ca1
SHA1: 4e6959a5ec1697fbfa5f328d04fcd96f0453941c
SHA256: 041fae76aef08d4ea4b8e5888de2e18995be6fe2f566c39541a9ec70c524380d
SSDeep: 12:w8Dj/vGkoUIvbqfPkTPUmu149vw08XbaMmQUe0:w8Dj/vGkoUIvuf+Ru14Np8La1Qa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: 80e2f612bd7e1c7599ee47681a01c559
SHA1: f2452c181b7f3573e947781c928867f7dc113fe3
SHA256: 29ee570488f0cff1423c858011491926a467b7d00d9c7afbed76381b6a54ea6b
SSDeep: 24:IO9FCxDBnCIhZiQY28cgp7aJIHNbx/X0pBC7fmT5d5Glga:IWcjC0M19CMX0pI7fEGlga 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 0.67 KB MD5: 5455eaa98f7a7af50bb49115072eaef7
SHA1: 99128005196369c9a99e7a28ed97a1f6c555ae89
SHA256: 602a74950e23366ba50f05f1e2a5801b4c89944a74bcece6d6af6b2bf848a63c
SSDeep: 12:sJm9MV9s6YEIFTajIuXBChotcmpwPEgh2+mp3T/XUQ303g/PuWEkOF6QymJ+k:H9MuEYOjIIootc/P7nmp3bXUQ37ugZmz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D 0.56 KB MD5: a6c0dacb0788e1cbba142c7da2d6d7fb
SHA1: 6f55861e94aaee154762e183c649164ff9b22a1d
SHA256: fbdb31f3934657ab71186627459ee1885624aa89887fefeb131c45de68f91388
SSDeep: 12:zxU/MDUzM0+bSfS2ZcxVdFigra3a6WhWasXGwwHSTY0voDR5cyck3dDBC:zyg07K/3e3a6WhrsXGz0U5cxkq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\VZxoE0B3Qd4a.mkv 51.94 KB MD5: 943bc4299bd18746b82453b1040320b9
SHA1: 93b66b206ebbac6013f77a6c92897737debb596a
SHA256: 1bdb2559d76970a9bbf2ef0da21168e91631f402b76d4a53219b536c5a236c9c
SSDeep: 768:DnFFPGBti9M83yXELvfRJgH1PhnGX7GaywM5OWB7XzlFLAmoPJcFcRDVQJwcLs0d:qiyFX0b6P5GtyT5NzPM9GcRBW5LXi4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: f524b2b31380fbc3663783380c891fcd
SHA1: 9cc1fa68745aaba47015858adfd851509477a770
SHA256: 85b866cdfb4751ce2af42d00b9f6288338b62c2b6b5cda48655f8aaff9093e7f
SSDeep: 24:f4QWBQDepPEsthBO1ZcVYi0fk2TZHmPAjXYHMuhq:fBClRth41yfhGH2VHA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 0.52 KB MD5: 69be485ed6a894c9fbe0c28668fe0bb8
SHA1: 89c24edbc878115c355b48bf7a0e185e891918b7
SHA256: 9af2d5903558563921f8dafc4027b21e9dbaa732915a0287a994d7a42f08c704
SSDeep: 12:iMXvTfxNgxp47UubjEsC/7OxNSIHZiW9QwfHWCkCl:iCTgxW7JbgscOxxEweCkCl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml 0.44 KB MD5: b4c249aeff32dfdf5578cc26bb46ca20
SHA1: 5ffde9f5a3910f138ba026dad95aba077688679b
SHA256: aef6eda52eaaa5d17ca00226bd8c6c4c02c0e9b223380d8840c5f4c29c58c8ac
SSDeep: 6:rguGUB1MZh4nByaj5RZX0YTLe3Xt8449c+TdO2je/H+cVKFejpemK/L55Rp4xJL+:r3aLey6PZkTg9c+s72cUFWpnEKVr0xvT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Lg1u-SPtBC QIte.gif 89.42 KB MD5: 7401371ae75f8f4e9c4f7b74d1ab12c3
SHA1: 723fd7861323491bd96cdc1821436bf9936f5346
SHA256: 179c66d5d9c8f17857fdf288d528d46d63d5fd287cfdaab538d378e30fafc72d
SSDeep: 1536:61fnZ7yZm1oMLHrAik+KNHyVX9X6wFkALQfXvrr/YlKCBrvMVc1f3ltk2skVl5nL:6tnoZsMB+K4NX3FkALQfXvrcBrMIf1tr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\vs4QWfqcPFXF.ots 7.10 KB MD5: 3ce0eda834fe673574796ce77470d233
SHA1: ddc9769ff70c2f85ee1ba33e091d94a418d2264f
SHA256: cbead6bf5a568c1202b696d0c4fff1ae969f081ed590534f8e719fc90ed62ad9
SSDeep: 192:Py5P0wHt8jWtozvtqzNj5jtj5ltdHa9cR:Pk02uituvtql5j/dHa9cR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\CaKT.png 12.56 KB MD5: f3a2952174bc4055ff0e8df10934adf3
SHA1: 114ca4f72b8ee62586eefed1f8dd2eeb3cc8061d
SHA256: b04cdc98d001c3ed26308df445cb9c75342af5659c3b43b62b9bf9e4bf12f7d5
SSDeep: 384:XsclktNEk94cVsIlnmSRqH5UVR1DwqgkPha4L:Xs3VFoSQ5UXhwL0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: 98e1aaa7fa7e4ba30077d678746da11f
SHA1: 83cc3cf4612bcde9cb0904245ccbb8345ed1291e
SHA256: 6ae2e48db62c7da499283d9d01f923840911165a50b3577b48451e2b35f4c595
SSDeep: 768:jt6+7Xsvo1Kci0BGBGO+FtfUSFUBPx8XW2ikCpdzU/:jg+qo5i0BsGO+FtfUSFUBPxqXLCrzU/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\W417.csv 48.42 KB MD5: 19be3db84f37bcb42700801f8cfdba3e
SHA1: 438aed097ff8fc7484e65bfc4c9d161dc7d27666
SHA256: 2a6c7bfcddf27ff5a9403d279e3e0fff05a320308237fc700d6bc4bac32a0115
SSDeep: 768:y0vZeFxsSsPwwgLE06oYxXWtN7K3KCg5jTEsF6nDRRyGKLP9JLFWvi9m5aOiEcXk:y0+sELE06HZW3K3kTEznC1FaHaBX12i2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\e92d768e-c451-4b80-abf0-212ebc99b93f 0.74 KB MD5: 0bed33c94aa9a9618b76ad65f5b118ea
SHA1: 629ab83f0e330b29d9aa378dcf92657b98450c39
SHA256: 111cb3b50a13d22ab0748861188387387868c907d2212cc7e860c262233eed97
SSDeep: 12:V7/udKX8AIHOirX0LhvV6GUkbz8T33V3IPPo+kpUMiTxa1Wh6kVJt0/KtEz1GfOv:UgsA1VHbe3daPoxV856kcKtEz1YSb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\AiRMw711Pkv_8Wnc7Nh.mp3 10.61 KB MD5: b25f1327e4a52bba7c5894225def9a7c
SHA1: fa25a72132b6fc97f54f9b6e91e196fab5a45ff1
SHA256: 803fc484447293fd16c5e3b65f4e16232fb246da436e7c5993a204b47bffc6f0
SSDeep: 192:YeVEHAFtFqRFdGAo6iQsJUZFpsFyIY3Pri5kl28YYrxspOvYmxezrt3U5tS:YeVEgARg9Ypxxm5M2Sr4OCzRU5tS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\mapisvc.inf 1.38 KB MD5: 1d5be84d02d3571a37cce676623fa135
SHA1: 1546cde538af06cbcd080b1798d91e069cffd396
SHA256: 7d07bf3acc42d297c8793da53f0cc936b8349195e196d50ddb6bc7d7ad2625bb
SSDeep: 24:yRZFP++/DXeAAdGRBqNyZjSDjB3oADNXiqjPYmi/DR/jyHmJnp5jb8/BOQfY:KP/uBAOUB2jBrNXvcVdhXggv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.74 KB MD5: 9a1ff921b6a90387ae0ac25e5a79f45e
SHA1: b0252860d6b40c3e33ae8698cd6ccae7d3fb1cdc
SHA256: e9bec8471002627d59165f4a1bf45c071f8f6d289b41cb92de912a3bc06fc73a
SSDeep: 12:+XsIW6gIh+DnVpxGVW3mHc47ETRZWig5wiTX/qWDiopvz/wITm5I0TDF:+X9gIWTgHc47ETRZWigC+77BzIITq9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.72 KB MD5: 8b19af187819a5da4f06f5fa26fa68d4
SHA1: 9b4bf76a119a84bfffee9724a184f289887b943f
SHA256: 96a43df9bf96ee296364f483e23fc056d59de3cb9c0b39ca05cf22dfacbcd547
SSDeep: 12:7D0fjyq1tkGqvb0DGGGAgJVr7P30HHkOKYraehFjZO3Ls+z//AdsScHZSMsGo+mA:EbFTkGJO79wkO52ehFjCA+DA+dHYGo+v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Op-O1so.wav 16.49 KB MD5: 1efcf4447c80ea128fd74d1bb7ee2012
SHA1: 21f2712fc4c2b5d97727b1d4cb0936886af042e1
SHA256: 242f2fe417e7c25996d99b83370b6fe39cd24bb6d0688f0ffc25f20c980a68fc
SSDeep: 384:S7hItB3XtQMiBnbvgKM+/rJFftPOzw8QTi2COt:uhuijdvgKM+lFfgPQTiUt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\h-d0IMeLC.m4a 72.33 KB MD5: 3b040a94abd7159b91129c791179b49f
SHA1: dd647abe2698492d9ddd86efe8020410600afc29
SHA256: 91080fe1130dc4d812c838fe9f15c75e3606dd03d4744165a424ea681f12d3bf
SSDeep: 1536:Y+ElAf/DW8RJjARGXG5a6RRXibg2UBrwesijJY1w0SMJhVU38d:SlAdp6RRXicF9YiVP0jU38d 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\0l9K1tDOh.png 23.10 KB MD5: 986d4b2e679a5200cbc8caee9b57316a
SHA1: b95e9da95db974e4ddf82aaef5f5b380085fdecc
SHA256: 32800bc5f33f3d3bc4a0f09936aa5d0548fd723c0767af1c4c194990f303377b
SSDeep: 384:jiAUIj/ngmeYp7FKgs7OkQxU+8dH6qoxLIbZh5pCP6rXrpKVSa5nA4Cvs3Zz72OO:j5/ngmX7IL7OkJrdQLQv2SXV8Z5Jvpz0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\E7FVX.flv 71.05 KB MD5: 536e715987a5a2dbfca01404092aed60
SHA1: 7a18f6baa9d5167c5ac0dd51c60d5aae0cd8cf04
SHA256: 89a54025e498e59c039dd99e51b1eadfb0a0ea95283b4ccf0936c802ec467fb7
SSDeep: 1536:Ypyh+ttIFq0c5npE99PJCx1jq+1YGfZiODocXygQ+MVQR10vuXG:Ypq+Mq0ce9w51717MVQquXG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\3sOM2p6si5PIY.docx 65.31 KB MD5: 5a0ece12e7b6819bc4fa86c473f4434f
SHA1: dd8fbfc0609911b4b21d0a97864e70fcab38dfbc
SHA256: 7f5d5fd224ae51cc1ac644bb338c260a779e2fd1195074744e7deabbed4c093d
SSDeep: 1536:cj/XE26338KYRD7CyDDBV136J+PjuLI5zFZqL1OgHdx5PwblT4:czXE26cn/CyDD139Luc5rqNdPPwbl8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.99 KB MD5: 57c29397429cc67f526bcb1cc24d1747
SHA1: 399ba3b7913f2d60585687bc86228f02938a3e48
SHA256: e1653a23a68e803cf7ef053b2b9f14b42353074a611744b964a3ea3782a6a416
SSDeep: 24:keNHBBvtR2HUgkpvr038KO37zAOPiTEXT:5Nh/Revk5w8KO37zAOPiTk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.28 KB MD5: e86dfb9c449d48b7dc3dd8fbff2d7bf7
SHA1: 29925b7b1457eb5c0bab2bf8220faccb61887980
SHA256: 0d5fc9c3a72fc01cd1b9b46dd447df936d02e71108537533f8894a89f67d468c
SSDeep: 3072:LYFGc5LLHnYawpIv9v88e+AbcXofH1RWpxjXalVJq2f6k7t3KlQNBi:LYwc5L8a2IO8eJIXQHTQxjKl4dqNBi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\E-p25XPvU-IDXfy.wav 78.50 KB MD5: ea618e0bd369a5729583452987219763
SHA1: 24b42f7082a26bf05107b438580160b7178dca3f
SHA256: 4b1afc360fea2e20d28a773547e9d6de8fc52807570a0f2e49ffba11615f2a39
SSDeep: 1536:AJGCOVJO724Q/raC+sAc1QrRmYRanBEwb0gOK2/RCG9Q+4F:1COVJ024Q/r/+somvBRb0jCG9De 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 1.89 KB MD5: 60463e2c503724888edf331be03c2b52
SHA1: c658f2bea77fc6a91a2b765951025f7d0c600597
SHA256: 3b670c073c5e0c14cf1593d2080043628844a663f724f2da8675b6b9bd5c6231
SSDeep: 48:pflWNiey8U0qgJYzO0iuJmYvBRCyMiWf+E/:pOyZzViXYbxjQz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\C5t688_rQzw.png 75.94 KB MD5: 78f8615ddb9585cc1bcee43d20fc58e3
SHA1: ba7a339cc2defe505df59e747c5c0a014cf79354
SHA256: f713e893ed2f6b19fdc63d988a2d3ba80956f2ecd174abb985b5d9a2e23fc9ac
SSDeep: 1536:9oVgo8+DmzCYY0tjAtUJRkNm9iOTbiTgqFB1/HG35wXhO35/7GwFe1Gb79IsZCX:GVBBDmzbYGAtUJ7iPLzc3lyGnusZK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.xml 2.25 KB MD5: 2f8dfbb2b397040cd3b161a31eb55f03
SHA1: f981c52c7e91e45fd7b423488e77388b2ce6b44b
SHA256: 8cd4cfcbc511b19a3b0cede233858ef8b9bc9a9e81d554580b56a93c253c01b8
SSDeep: 48:Ll4a+Y+/qX3DQXh2lVqhcTolRpktIq2bKPQWx6nDPK2zGvDzTP:Ljv3Kh2Sm8l3OF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx 3.99 MB MD5: 609971a0d830e0a67931e1fcf3f1a5f6
SHA1: 62802db1a597a78217b8e48854652a901ec95824
SHA256: aa9ca3ed0e172bb2f2f9ead14f5fa91e4b5875b8940f8c3ee72c57f2157a75fd
SSDeep: 98304:bijF5XxqWiQ41PiuucA9Ig6IyoHFY6VJMOTUNXMWr:bOjINwI7IBHGu6OTtWr 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp 10.00 MB MD5: ec742049de043a2bb0cd8093368dd50c
SHA1: b30284e68d649e24faf3beaeab5e0d15532f0acc
SHA256: 52e76506ceb6956ba72b0ad9068613e94beba2dbc7f676009b57420add69f4dd
SSDeep: 196608:uTttV7aqSYfOHKnxvDXadSLsS8nQsiAESOsYnwZrja9segf:qHtaZjexvsItAqpnevIu 		False
...
C:\ProgramData\Microsoft\MF\Pending.GRL 14.89 KB MD5: 57da4916493b0c9213fa71ed271348b9
SHA1: d417745c7afa97d273a22e6d8f7c6985f7a15e08
SHA256: 375348db5d0ffdcebe6bcfa3220c2667714844ee879e98568376fdb176bebd3e
SSDeep: 384:oAThVj3zECqA5XQ3tUyfp7oQ64HfAG8iD2D2Isj:oATzjECqA5AayftDeG8mF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 9e88e14767bca493767954a6592d899d
SHA1: bea92ffea4e4a2c70690c7b4f21ee53fbe4c95e4
SHA256: e3a660f7832146638c17c83b62f61a3f7de865d2384867d249ee0a88b7bd8b0c
SSDeep: 48:qvycN2+PS9S6YzVWEyWl8KCR8mjMGaMx87Hz2:/+PS9AzgEykHYlw7Ha 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 0.66 KB MD5: 1f91dcd9fe69b5d8cab04671228c4b55
SHA1: 8306e33bf67a495cead07a01b8a7e5059b7eef88
SHA256: 7faeeffd9bca93ee6733db939b8df107c0ddcf22a17f3ed5c0042a4dfd45c61c
SSDeep: 12:k1UxdBx0RRKT+AySEeNZk2MxEl5lVFFlgrIZ17gvLI838AfRzxFQ9LQM0Ju9pQCe:wiLx0+9gsDF+K7glMAtQ9EOsInp6r 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 3.13 KB MD5: 942137e86464e476700f5d475492a00d
SHA1: 89f4e55643cbc8878015d232395aab27168659ee
SHA256: 89468b5cf6c1a31d6377b3035a699c32a969f1b2d2d074e8d61d97e84d722f2b
SSDeep: 48:nyeETOfBHpr4MScMJUg09trRTHJCaFPON+FTnG0To+2D+ig2GFgFmog1qJIUQSBG:yyJc+MWTdF2OHs+Nf9gJI2avR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wscRGB.icc 64.94 KB MD5: fe68c7a042b12ce03a492cef9bcf4a04
SHA1: d1fd1f12da518c073ff58a668afabc2f8ba5bf6d
SHA256: af9f310a8cb9dcbdf87250e80c65e7d4ddc9423360688c91a7773d077d7ac146
SSDeep: 768:iGHhc9elEmwrGD0CWF5MGy35EfOGYhaUyR/Hy/rTXmO153YnNl81ZfpTWMA3KaSE:rHhc8lFY/MGy+BY0iPr3x5pTWQnE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\kXFQEGM.m4a 26.08 KB MD5: 17f8d81656400deaff957ba06856683d
SHA1: 50b72162f66945c18068e4a1ee906e9ccd86fdcd
SHA256: 75104c4788d5ed53cccf1bfbdbc197da4f1fec420985bb3a866b747369d9b852
SSDeep: 768:r/5oy32VeHJcBuAQd1hqni9r5QLuKNxBcy6TWXX:rmMpcB82nerDKDBr6Tu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\09_Music_played_the_most.wpl 1.28 KB MD5: 074a7bafcc404ed3a9e55a4d3cdb9c3b
SHA1: e8a2c356d8786a7df5d473bf18091f47a88ee952
SHA256: ea048b76bd14dead09e06ca4b04eb6df0e78742de9ac5daf06ece0175037a70a
SSDeep: 24:DBioDhwlaOCLdT1ubHoj2N6YmQT3Atwq9Ni41IYfJO3+1W3td89VMLZOTfGzMi/x:ViodB31mR+wWB1tNYKHdPi1aYD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\AdobeARM.log 0.97 KB MD5: 1daeb907f76c7de68261e6c762f446fe
SHA1: 8cef66278f182154ea040f3e14e4f74e9d1a826c
SHA256: b37e915860b0d09fd4784aa65d52b0ba7a84f2e7d8cb6d6337c50920046e6954
SSDeep: 24:UwNUEN4yQc1WVcHtc/oU9VmxdVlqL+U0G9cLT8u9y:/N4FcocNc/o4adn80GqLwH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 1.86 KB MD5: 3bad904da0bc806f9656c4d95ff7a907
SHA1: f01bb7e19530f373d53fb4d7a4bd2f6eee59dd1d
SHA256: 2b38e5a2d44761494de280c2eee0c6e8d4c668ef79fb64847aa2efb46fda5a4c
SSDeep: 48:uOHR0njeyFqE0+lJwKiUg2nGzipFkZwrCJ2gBJi0DE/:uOx0nNqE0KHbnPDqQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wsRGB.icc 2.89 KB MD5: 0049eaf932946fb57f0e0d32dbd892d9
SHA1: b31508e76a5007a93174e4e6bb17006bb20f073e
SHA256: cd4e9273039344c20f2fae6ad6cf7bcc6616e2bc25b5ef293d60c65da2d27364
SSDeep: 48:lVQK1bZGptDxrdvaCxtSPV0ybeXwnoVqE2fg5mcjyr4XAzqa+44XpZGc5Q3iw+f:lbbIpt1rHEFcwnr4xjyYi+vZdPwA 		False
...
Host Behavior
File (5628)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 25
Fn
Create C:\Boot\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\bootmgr desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\hiberfil.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\pagefile.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 27
Fn
Create C:\Program Files\Common Files\Microsoft Shared\DW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EURO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.WPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Help\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 38
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUAUTH.CAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 22
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\ProjectMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\ProPlusrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\VisioMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\VisiorWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_EN.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT532.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT632.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 46
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\THEMES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\MSB1ARFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\MSB1FRAR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1AR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\FM20.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBCN6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBENDF98.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBHW6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBUI6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\BIGFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\CHINESET.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\EXTFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\GBCBIG.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\IC-TXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\ICAD.FMP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGDTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTMTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\verisign.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\System\ado\adojavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\adovbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado20.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado21.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado25.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado26.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado27.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadomd28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadox28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcjavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handler.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handsafe.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\MSMAPI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\MSMAPI\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqloledb.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\audiodepthconverter.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\bod_r.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\directshowtap.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\DVD Maker\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Eurosti.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\fieldswitch.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\offset.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsink.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsource.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\SecretST.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\Common.fxh desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveAnother.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveNoise.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 16
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
For performance reasons, the remaining 2516 entries are omitted.
The remaining entries can be found in glog.xml.
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #416: net1.exe
17 0
»
Information Value
ID #416
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10e4
Parent PID 0x126c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffec0000 0xffef2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffec0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 167701 True 1
Fn
Process #417: taskhost.exe
92 0
»
Information Value
ID #417
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:05, Reason: Injection
Unmonitor End Time: 00:05:06, Reason: Terminated by Timeout
Monitor Duration 00:03:01
OS Process Information
»
Information Value
PID 0x4a4
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 13EC
0x 13E4
0x 13E0
0x 13D4
0x 13C8
0x 13BC
0x 13B8
0x 13B0
0x 13AC
0x 13A0
0x 139C
0x 1398
0x 1394
0x 1370
0x D64
0x 890
0x 7EC
0x 4F8
0x 53C
0x 7D4
0x 7BC
0x 76C
0x 768
0x 760
0x 4CC
0x 4C0
0x 4A8
0x D58
0x 1278
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
msutb.dll.mui 0x00190000 0x00191fff Memory Mapped File rw False False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001bb0000 0x01bb0000 0x01fa2fff Pagefile Backed Memory r True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x021affff Private Memory rw True False False -
pagefile_0x00000000021b0000 0x021b0000 0x0228efff Pagefile Backed Memory r True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
kernelbase.dll.mui 0x024c0000 0x0257ffff Memory Mapped File rw False False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
private_0x0000000002640000 0x02640000 0x0264ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
private_0x00000000026f0000 0x026f0000 0x0276ffff Private Memory rw True False False -
private_0x0000000002770000 0x02770000 0x027effff Private Memory rw True False False -
private_0x0000000002800000 0x02800000 0x0287ffff Private Memory rw True False False -
private_0x0000000002890000 0x02890000 0x0290ffff Private Memory rw True False False -
private_0x0000000002910000 0x02910000 0x0298ffff Private Memory rw True False False -
private_0x00000000029c0000 0x029c0000 0x02a3ffff Private Memory rw True False False -
sortdefault.nls 0x02a40000 0x02d0efff Memory Mapped File r False False False -
private_0x0000000002d80000 0x02d80000 0x02dfffff Private Memory rw True False False -
private_0x0000000002e00000 0x02e00000 0x02e7ffff Private Memory rw True False False -
private_0x0000000002ee0000 0x02ee0000 0x02f5ffff Private Memory rw True False False -
private_0x0000000002fc0000 0x02fc0000 0x0303ffff Private Memory rw True False False -
private_0x0000000003080000 0x03080000 0x030fffff Private Memory rw True False False -
private_0x0000000003140000 0x03140000 0x031bffff Private Memory rw True False False -
private_0x00000000031d0000 0x031d0000 0x0324ffff Private Memory rw True False False -
private_0x0000000003280000 0x03280000 0x032fffff Private Memory rw True False False -
private_0x0000000003320000 0x03320000 0x0339ffff Private Memory rw True False False -
private_0x00000000033c0000 0x033c0000 0x0343ffff Private Memory rw True False False -
private_0x0000000003450000 0x03450000 0x034cffff Private Memory rw True False False -
private_0x00000000034d0000 0x034d0000 0x0354ffff Private Memory rw True False False -
private_0x0000000003570000 0x03570000 0x035effff Private Memory rw True False False -
private_0x0000000003650000 0x03650000 0x036cffff Private Memory rw True False False -
private_0x00000000036f0000 0x036f0000 0x0376ffff Private Memory rw True False False -
private_0x00000000037a0000 0x037a0000 0x0381ffff Private Memory rw True False False -
private_0x00000000038d0000 0x038d0000 0x0394ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xff7e0000 0xff7f3fff Memory Mapped File rwx False False False -
private_0x000000013f0e0000 0x13f0e0000 0x13f113fff Private Memory rwx True False False -
winmm.dll 0x7fef8080000 0x7fef80bafff Memory Mapped File rwx False False False -
msutb.dll 0x7fef8bb0000 0x7fef8becfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fef8bf0000 0x7fef8bfafff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fef8f70000 0x7fef8f7afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fef9030000 0x7fef9047fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb040000 0x7fefb04afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb0d0000 0x7fefb0e4fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb200000 0x7fefb326fff Memory Mapped File rwx False False False -
dimsjob.dll 0x7fefb6b0000 0x7fefb6bdfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fefb700000 0x7fefb70bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fefb8c0000 0x7fefb933fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffff84000 0x7fffff84000 0x7fffff85fff Private Memory rw True False False -
private_0x000007fffff86000 0x7fffff86000 0x7fffff87fff Private Memory rw True False False -
private_0x000007fffff88000 0x7fffff88000 0x7fffff89fff Private Memory rw True False False -
private_0x000007fffff8a000 0x7fffff8a000 0x7fffff8bfff Private Memory rw True False False -
private_0x000007fffff8c000 0x7fffff8c000 0x7fffff8dfff Private Memory rw True False False -
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory rw True False False -
private_0x000007fffff90000 0x7fffff90000 0x7fffff91fff Private Memory rw True False False -
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory rw True False False -
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory rw True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory rw True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e1a30 True 1
Fn
Host Behavior
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 4
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (10)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 4
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 4
Fn
Process #418: net1.exe
17 0
»
Information Value
ID #418
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1160
Parent PID 0xee0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffec0000 0xffef2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4380000 0x7fef4391fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffec0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:47:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 167747 True 1
Fn
Process #419: reg.exe
13 0
»
Information Value
ID #419
File Name c:\windows\system32\reg.exe
Command Line REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfa0
Parent PID 0xf58 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
reg.exe.mui 0x000e0000 0x000e8fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b50000 0x01e1efff Memory Mapped File r False False False -
kernelbase.dll.mui 0x01e20000 0x01edffff Memory Mapped File rw False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
reg.exe 0xff480000 0xff4d5fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 39 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos, data = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fivjf.exe, size = 96, type = REG_SZ True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0xff480000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1601-02-07 06:21:23 (UTC) True 1
Fn
Get Time type = Ticks, time = 168106 True 1
Fn
Process #420: taskeng.exe
89 0
»
Information Value
ID #420
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:06, Reason: Injection
Unmonitor End Time: 00:02:36, Reason: Self Terminated
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0x59c
Parent PID 0x374 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 894
0x 6EC
0x 5F4
0x 5B4
0x 5A8
0x 5A0
0x 1304
0x 1178
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ec2fff Pagefile Backed Memory r True False False -
private_0x0000000001ed0000 0x01ed0000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
private_0x00000000020e0000 0x020e0000 0x0215ffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
sortdefault.nls 0x02290000 0x0255efff Memory Mapped File r False False False -
private_0x0000000002700000 0x02700000 0x0277ffff Private Memory rw True False False -
private_0x00000000027b0000 0x027b0000 0x0282ffff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x028bffff Private Memory rw True False False -
pagefile_0x00000000028c0000 0x028c0000 0x0299efff Pagefile Backed Memory r True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskeng.exe 0xffcf0000 0xffd63fff Memory Mapped File rwx False False False -
private_0x000000013f0e0000 0x13f0e0000 0x13f113fff Private Memory rwx True False False -
tschannel.dll 0x7fef7bb0000 0x7fef7bb8fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefab80000 0x7fefab89fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
xmllite.dll 0x7fefbaa0000 0x7fefbad4fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd0e0000 0x7fefd14cfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e0000, size = 212992 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\fivjf.exe 0x958 address = 0x13f0e1a30 True 1
Fn
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 3
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (8)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 3
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image