e192995a42b91bd86aa0c5fe5d4e4aaff1b921bdb10946b1ea67565b5d3164da (SHA256)
scvhost.exe
Windows Exe (x86-32)
Created at 2018-04-15 00:07:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: scvhost.exe
44649
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\scvhost.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\scvhost.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:45 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb54 |
| Parent PID | 0x5dc (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7CC
0x
AF8
0x
598
0x
A38
0x
2EC
0x
27C
0x
E48
0x
E3C
0x
D18
0x
E4C
0x
210
0x
E78
0x
E44
0x
E14
0x
E8C
0x
E70
0x
E6C
0x
E80
0x
E7C
0x
74C
0x
E28
0x
544
0x
E90
0x
420
0x
E94
0x
E1C
0x
E9C
0x
EBC
0x
EE0
0x
EC4
0x
ED8
0x
EDC
0x
EB0
0x
ED4
0x
EE8
0x
EB4
0x
E84
0x
ED0
0x
B20
0x
E88
0x
B88
0x
B0
0x
EFC
0x
F18
0x
F10
0x
EC0
0x
F14
0x
F00
0x
EB8
0x
F1C
0x
F0C
0x
E74
0x
CE0
0x
CE4
0x
CE8
0x
CF4
0x
CF8
0x
CEC
0x
CF0
0x
F08
0x
CDC
0x
EF0
0x
F4C
0x
A1C
0x
AF4
0x
350
0x
EE4
0x
D2C
0x
D28
0x
E20
0x
F3C
0x
EEC
0x
F24
0x
F34
0x
EF4
0x
F50
0x
F44
0x
DDC
0x
EF8
0x
F2C
0x
DE4
0x
F40
0x
A5C
0x
F38
0x
A78
0x
A60
0x
F60
0x
524
0x
F48
0x
F20
0x
A7C
0x
E34
0x
954
0x
DF8
0x
E18
0x
910
0x
52C
0x
948
0x
9F4
0x
560
0x
930
0x
9A0
0x
F28
0x
928
0x
854
0x
A54
0x
8C8
0x
F30
0x
82C
0x
E68
0x
F58
0x
F7C
0x
AA0
0x
F70
0x
F80
0x
A58
0x
A94
0x
BFC
0x
A84
0x
824
0x
A88
0x
F64
0x
A90
0x
F5C
0x
F94
0x
FA8
0x
F6C
0x
FB4
0x
FB0
0x
F54
0x
F78
0x
FB8
0x
F68
0x
F74
0x
FC8
0x
960
0x
B68
0x
FCC
0x
FFC
0x
F8C
0x
FD0
0x
F88
0x
F9C
0x
F98
0x
FEC
0x
F90
0x
FA0
0x
FDC
0x
FA4
0x
FE8
0x
168
0x
C18
0x
FF4
0x
604
0x
9CC
0x
FD8
0x
F0
0x
FE4
0x
FE0
0x
FC0
0x
778
0x
FBC
0x
FD4
0x
FF0
0x
C30
0x
C40
0x
C4C
0x
C54
0x
C60
0x
C5C
0x
FC4
0x
C64
0x
9EC
0x
8BC
0x
FF8
0x
D04
0x
D08
0x
CA0
0x
C68
0x
1F4
0x
C78
0x
C20
0x
C58
0x
C38
0x
C24
0x
C1C
0x
C98
0x
D8C
0x
E58
0x
C44
0x
820
0x
C80
0x
390
0x
C3C
0x
9A4
0x
E54
0x
D00
0x
554
0x
C9C
0x
C8C
0x
518
0x
E50
0x
E2C
0x
E98
0x
E24
0x
310
0x
A24
0x
340
0x
D0C
0x
CB4
0x
E38
0x
42C
0x
BC0
0x
CA4
0x
CBC
0x
CC0
0x
B3C
0x
CD8
0x
620
0x
CD4
0x
C48
0x
114
0x
C34
0x
CCC
0x
CB8
0x
C6C
0x
D24
0x
C7C
0x
C74
0x
D40
0x
D3C
0x
714
0x
D78
0x
D44
0x
D80
0x
834
0x
D14
0x
454
0x
CC8
0x
D20
0x
D70
0x
D5C
0x
CAC
0x
CD0
0x
65C
0x
8F8
0x
DAC
0x
53C
0x
5C0
0x
D84
0x
D90
0x
B4C
0x
D38
0x
300
0x
DB8
0x
D94
0x
764
0x
B30
0x
D50
0x
E10
0x
394
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x0037dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| scvhost.exe | 0x00400000 | 0x00580fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x01130fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x0253ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02540000 | 0x02876fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x0297ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d80000 | 0x02d80000 | 0x02f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002f80000 | 0x02f80000 | 0x0317ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003180000 | 0x03180000 | 0x031bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x033bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000033c0000 | 0x033c0000 | 0x033fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003400000 | 0x03400000 | 0x035fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003600000 | 0x03600000 | 0x0363ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003640000 | 0x03640000 | 0x0383ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003840000 | 0x03840000 | 0x0387ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003880000 | 0x03880000 | 0x03a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ac0000 | 0x03ac0000 | 0x03cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003cc0000 | 0x03cc0000 | 0x03cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003d00000 | 0x03d00000 | 0x03efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f00000 | 0x03f00000 | 0x03f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x0413ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004140000 | 0x04140000 | 0x0417ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004180000 | 0x04180000 | 0x0437ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x043bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x045bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x047fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0483ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x04a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0533ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005340000 | 0x05340000 | 0x0537ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0557ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005580000 | 0x05580000 | 0x055bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000055c0000 | 0x055c0000 | 0x057bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057c0000 | 0x057c0000 | 0x057fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005800000 | 0x05800000 | 0x059fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005a00000 | 0x05a00000 | 0x05a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005a40000 | 0x05a40000 | 0x05c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005c40000 | 0x05c40000 | 0x05c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005c80000 | 0x05c80000 | 0x05e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005e80000 | 0x05e80000 | 0x05ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ec0000 | 0x05ec0000 | 0x060bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x74a00000 | 0x74a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x74b20000 | 0x74b36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74b40000 | 0x74b52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x74c40000 | 0x74cd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75070000 | 0x7507efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windows.storage.dll | 0x750d0000 | 0x755acfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x755b0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| powrprof.dll | 0x777f0000 | 0x77833fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007fe62000 | 0x7fe62000 | 0x7fe64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe71000 | 0x7fe71000 | 0x7fe73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe74000 | 0x7fe74000 | 0x7fe76fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe77000 | 0x7fe77000 | 0x7fe79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe7a000 | 0x7fe7a000 | 0x7fe7cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe7d000 | 0x7fe7d000 | 0x7fe7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe80000 | 0x7fe80000 | 0x7fe82fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe83000 | 0x7fe83000 | 0x7fe85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe86000 | 0x7fe86000 | 0x7fe88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe89000 | 0x7fe89000 | 0x7fe8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe8c000 | 0x7fe8c000 | 0x7fe8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe8f000 | 0x7fe8f000 | 0x7fe91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe92000 | 0x7fe92000 | 0x7fe94fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe95000 | 0x7fe95000 | 0x7fe97fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe98000 | 0x7fe98000 | 0x7fe9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe9b000 | 0x7fe9b000 | 0x7fe9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe9e000 | 0x7fe9e000 | 0x7fea0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea1000 | 0x7fea1000 | 0x7fea3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea4000 | 0x7fea4000 | 0x7fea6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffc03e6ffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 696 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\hiberfil.sys.nmcrypt | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\swapfile.sys.nmcrypt | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa54e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa57e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa773.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa7b3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa831.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxa8ce.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxaa27.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxabbe.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxabfd.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxac7b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxadc4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxadf4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxae05.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxae83.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxae94.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxaf02.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb28d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb29e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb2ce.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb31d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb33d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb35d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb35e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb36f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb380.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb390.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb3c0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb3d1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb410.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb411.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb422.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb432.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb443.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb454.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb510.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb521.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb531.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\.xxb552.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\ar-sa\.xxb5d0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\bg-bg\.xxb63e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\cs-cz\.xxb65e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\da-dk\.xxb66f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\de-de\.xxb680.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\el-gr\.xxb6a0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-gb\.xxb6c0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxb71f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxb7bc.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxba0f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxba9c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxbb97.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc220.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc231.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc251.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc31d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc37c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc38d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc747.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc777.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc787.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc873.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc8c2.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxc9cc.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxca99.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxcaf7.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxcaf8.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxcb28.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxcb58.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\.xxcb69.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\es-es\.xxce87.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\es-mx\.xxcec6.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\et-ee\.xxced7.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fi-fi\.xxcf35.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fr-ca\.xxd050.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fr-fr\.xxd060.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd0fe.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd19b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd1ab.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd20a.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd21b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd24b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd25b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd29b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd2ea.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\.xxd2fb.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\.xxd30b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\insert\.xxd658.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\.xxd678.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\.xxd706.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\.xxd716.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd7e3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd7f3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd804.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd863.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd873.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd8a3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd8b4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd8c4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd8d5.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd924.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd935.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd955.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\.xxd9b4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\.xxda51.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\.xxda62.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\.xxde4b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\.xxde6b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\.xxde9b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\.xxdef9.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\.xxdf49.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\.xxe0b1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\he-il\.xxe0c2.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\hr-hr\.xxe0f1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\hu-hu\.xxe112.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\it-it\.xxe132.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\ja-jp\.xxe143.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\ko-kr\.xxe153.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\languagemodel\.xxe164.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\lt-lt\.xxe174.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\lv-lv\.xxe195.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\nb-no\.xxe1a5.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\nl-nl\.xxe204.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\pl-pl\.xxe4a5.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\pt-br\.xxe4c5.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\pt-pt\.xxe4d6.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\ro-ro\.xxe66d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\ru-ru\.xxe70a.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\sk-sk\.xxe72b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\sl-si\.xxe73b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\sr-latn-cs\.xxe74c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\sr-latn-rs\.xxe808.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\sv-se\.xxe877.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\th-th\.xxe8a7.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\tr-tr\.xxe8e6.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\uk-ua\.xxe906.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\zh-cn\.xxe927.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\zh-hk\.xxe937.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\ink\zh-tw\.xxe977.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\msinfo\en-us\.xxea04.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxee0d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxee7b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxefd4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf004.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf024.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf034.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf064.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf085.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf0f3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf132.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf182.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf1d1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf1e1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf202.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf260.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf36b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf37c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf448.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf458.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf479.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf499.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf70b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf72b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf73c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf74c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf75d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf78d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf79d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf7cd.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf84b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf8e9.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf918.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxf996.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfa05.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfa25.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfab3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfb11.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfb22.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfc4c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfcf9.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd09.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd39.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd4a.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd5b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd7b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd8b.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\microsoft shared\stationery\.xxfd9c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xxff62.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xxff73.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx5e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xxec.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx1b8.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx207.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx237.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx2f3.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx41d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx46c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx49c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\.xx4ad.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ado\en-us\.xx4dd.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\en-us\.xx51c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\.xx53d.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\.xx56c.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\en-us\.xx6b6.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\en-us\.xx791.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\en-us\.xx81f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\en-us\.xx949.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\msadc\en-us\.xx988.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\.xx9d7.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\.xxa36.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\.xxac4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\.xxad4.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\en-us\.xxb43.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\en-us\.xxbc1.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\en-us\.xxc6e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\system\ole db\en-us\.xxd88.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\program files\common files\designer\msaddndr.olb.nmcrypt | 23.20 KB |
MD5:
fb8fffe15baafaeadbb5f5d675e05103
SHA1: a8d1c7167ac0db5439c34d5c414db3f3bb1c2b99 SHA256: a7e4409b84fdfe297ed3c527453908ab043fe94340cb690871d55591e4ad4d74 |
|
|
| c:\program files\common files\designer\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\clicktorun\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\ar-sa\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\bg-bg\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\cs-cz\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\da-dk\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\de-de\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\el-gr\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\en-gb\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\es-es\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\es-mx\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\et-ee\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fi-fi\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fr-ca\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fr-fr\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\insert\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\main\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\he-il\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\hr-hr\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\hu-hu\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\it-it\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\ja-jp\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\ko-kr\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\languagemodel\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\lt-lt\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\lv-lv\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\nb-no\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\nl-nl\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\pl-pl\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\pt-br\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\pt-pt\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\ro-ro\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\ru-ru\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\sk-sk\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\sl-si\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\sr-latn-cs\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\sr-latn-rs\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\sv-se\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\th-th\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\tr-tr\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\uk-ua\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\zh-cn\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\zh-hk\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\ink\zh-tw\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\msinfo\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\office16\office setup controller\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\stationery\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\vsto\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\services\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\ado\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\ado\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\msadc\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\msadc\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\ole db\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\system\ole db\en-us\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\microsoft office\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\microsoft office\office16\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\microsoft office\packagemanifests\recovers your files.html | 5.10 KB |
MD5:
f083733b2690379e866c06d63d68a19b
SHA1: 4147ac8af22f374401b3f6e84190e8e270717ffa SHA256: b5026afec9eefce9814f67b8cc67d70dbee14f53242e34aa074cd3b0c4382c9c |
|
|
| c:\program files\common files\microsoft shared\clicktorun\c2rheartbeatconfig.xml.nmcrypt | 4.55 KB |
MD5:
984aeeb699c14bf83468aa3cfa501026
SHA1: c04516bb29311ea2ef484ffaee1821042bebb56b SHA256: 18aa96484c88595f89e77da491a82e83f6f8c06c4cd216ba19cfa1aa5f87a36a |
|
|
| c:\program files\common files\microsoft shared\clicktorun\clientcapabilities.json.nmcrypt | 0.56 KB |
MD5:
367eec774b2cf4b7e26535bf5a54f86b
SHA1: 6c335b8110953adbd0e25bb0fbf6aa69ff342722 SHA256: abbd3ba22b57970f7823e1f3dea325bc1e84918d5face280b9da93c8bda6f3dc |
|
|
| c:\program files\common files\microsoft shared\clicktorun\i640.hash.nmcrypt | 0.61 KB |
MD5:
05056ee4fdc78f5be9ddfef9240c3016
SHA1: 49aac4d380fc8aa8c5a008ee2cc3c27bd21293b1 SHA256: 60d892a49b6e237e18e6c6539ebe94d5b93065b2ffc5468630e09f8e879a0ed6 |
|
|
| c:\program files\common files\microsoft shared\clicktorun\i641033.hash.nmcrypt | 0.61 KB |
MD5:
bafc591e734329bfda70448c8483a317
SHA1: 519369b494093eabafc85dc8733c5d8b8da6f6a6 SHA256: 4bb9369c6e8de214e6371248280fc0660ccf7617ff6a789496d957cbf3a8b15a |
|
|
| c:\program files\common files\microsoft shared\clicktorun\officeupdateschedule.xml.nmcrypt | 5.17 KB |
MD5:
1f86fcbb1c58ea4be96de2657ed782db
SHA1: 4c126ac8511a0a503718d9262ec670bc09bb8866 SHA256: caf4932b03484f45ba57c4782740fe264fe588a30f89a5f04f87469fdec0c201 |
|
|
| c:\program files\common files\microsoft shared\clicktorun\servicewatcherschedule.xml.nmcrypt | 4.86 KB |
MD5:
904785a1d25cdd50c63cbd4eed309c75
SHA1: d2f36ed52cdebc67aac3a971cf178a1d3fd16276 SHA256: 29514e99d6e6386f7cabf8491e0ad276d2f608aaaf858c8384c7d7b57639a2e2 |
|
|
| c:\program files\common files\microsoft shared\ink\content.xml.nmcrypt | 26.92 KB |
MD5:
9af1660b546f7889cdf30d538a0080d1
SHA1: 7312ff5ba850d09f808fa838de3e08d26b69d1f8 SHA256: 159ddcb8c9d9d87c59d49b3921aa3650e2197754a07a305208b2dbba09c797d7 |
|
|
| c:\program files\common files\microsoft shared\ink\hwrcommonlm.dat.nmcrypt | 46.05 KB |
MD5:
e0658374d7a36ed60df3afa1b20f0a1a
SHA1: c91c1052e3237b43212df9931d650cad543037ca SHA256: a331357f67d0ac775aecd056d3bfd62b65c153d0b14e7660177879dfd2b994da |
|
|
| c:\program files\common files\microsoft shared\ink\ipsar.xml.nmcrypt | 2.88 KB |
MD5:
fa4913ac0c093dd2f254c2f0194b44f3
SHA1: 4c4f8c21982bff1ae34af3237ef2fb2b5522be22 SHA256: 8a7aa51cb15337c7e1810e6abe6a19b3355c80286b49e454a62935c26f5c08e1 |
|
|
| c:\program files\common files\microsoft shared\ink\ipscat.xml.nmcrypt | 3.05 KB |
MD5:
f4e5447034929a9f082c94afe32e3471
SHA1: fdf5c77570ede32aa1f6e6d049204b7295fef156 SHA256: 6947fb7cef6c4a2eca5113413f7f40a0d3d740228cd75b8542288b60a8551d03 |
|
|
| c:\program files\common files\microsoft shared\ink\ipschs.xml.nmcrypt | 2.91 KB |
MD5:
bbe3bf1bce297bbeae3da0a7b3760689
SHA1: 457b67b1f1b9384a750b4ba67264cddc2afc06ce SHA256: d11fd03fe0f8234d85f34caf50ea060d43a158102184b84fb69511a7e08d00cb |
|
|
| c:\program files\common files\microsoft shared\ink\ipscht.xml.nmcrypt | 2.89 KB |
MD5:
2f739a8315e88e24e7d5fec915f6750a
SHA1: 88e0bc283afca591a6b494e7414f388597872393 SHA256: 285eed5a96617be88a7c333c69fc606991f1e378eb66765f2d908019dd86eabb |
|
|
| c:\program files\common files\microsoft shared\ink\ipscsy.xml.nmcrypt | 3.00 KB |
MD5:
3b7853ef0678d2ac41431a2568b80134
SHA1: 1204dbb590f8dcb5666e515fe2475e785307f82b SHA256: da5f89def16f0d495f401fd142fa3b25f5fe1905748dc849bf8f492eb814b260 |
|
|
| c:\program files\common files\microsoft shared\ink\ipsdan.xml.nmcrypt | 2.97 KB |
MD5:
d60b7531af7928cf3f35263454f4c43f
SHA1: ced63c4969e0c7ec317adf3a2406cf11bce65c9b SHA256: 374d730f29e74f2100dfedfa5184afb1574afacc6326fdf3bdf7dd8865bfae3e |
|
|
| c:\program files\common files\microsoft shared\ink\ipsdeu.xml.nmcrypt | 3.06 KB |
MD5:
884269543395a10be4ab76960e389cbe
SHA1: fe8c68c7176bd8dd86091479ef64a9de91291fe9 SHA256: 83ce57d786d818baacc4dba3c1a892c6db42cec0a4f5bb3a3ab5d675a3cad315 |
|
|
Host Behavior
File (29883)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\?\C:\hiberfil.sys.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\hiberfil.sys | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\swapfile.sys.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\swapfile.sys | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\DESIGNER\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shorthand.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shorthand.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\Services\verisign.bmp.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\Services\verisign.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\Services\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado25.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado25.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado26.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado26.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado27.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado27.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado28.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado28.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado60.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msado60.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\ado\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\en-US\wab32res.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\msadc\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\AppXManifest.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\AppXManifest.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.HTM.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.HTM | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.VBS.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.VBS | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\SLERROR.XML.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\SLERROR.XML | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\Office16\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\PackageManifests\Recovers your files.html | file_attributes = _O_WRONLY |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00426_.WMF.NMCRYPT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00426_.WMF | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA54E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA57E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA773.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA7B3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA831.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXA8CE.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAA27.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXABBE.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXABFD.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAC7B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXADC4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXADF4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAE05.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAE83.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAE94.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXAF02.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB28D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB29E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB2CE.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB31D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB33D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB35D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB35E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB36F.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB380.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB390.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB3C0.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB3D1.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB410.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB411.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB422.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB432.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB443.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB454.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB510.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB521.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB531.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\.xXB552.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\.xXB5D0.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\.xXB63E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\.xXB65E.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\.xXB66F.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\.xXB680.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\.xXB6A0.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\.xXB6C0.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXB71F.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXB7BC.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXBA0F.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXBA9C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXBB97.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC220.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC231.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC251.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC31D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC37C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC38D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC747.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC777.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC787.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC873.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC8C2.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC9CC.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCA99.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCAF7.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCAF8.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCB28.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCB58.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXCB69.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\.xXCE87.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\.xXCEC6.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\.xXCED7.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\.xXCF35.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\.xXD050.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\.xXD060.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD0FE.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD19B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD1AB.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD20A.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD21B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD24B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD25B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD29B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD2EA.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\.xXD2FB.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\.xXD30B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\.xXD658.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\.xXD678.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\.xXD706.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\.xXD716.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD7E3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD7F3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD804.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD863.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD873.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD8A3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD8B4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD8C4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD8D5.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD924.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD935.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD955.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\.xXD9B4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\.xXDA51.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\.xXDA62.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\.xXDE4B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\.xXDE6B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\.xXDE9B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\.xXDEF9.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\.xXDF49.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\.xXE0B1.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\.xXE0C2.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\.xXE0F1.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\.xXE112.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\.xXE132.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\.xXE143.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\.xXE153.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\.xXE164.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\.xXE174.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\.xXE195.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\.xXE1A5.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\.xXE204.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\.xXE4A5.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\.xXE4C5.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\.xXE4D6.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\.xXE66D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\.xXE70A.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\.xXE72B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\.xXE73B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\.xXE74C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\.xXE808.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\.xXE877.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\.xXE8A7.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\.xXE8E6.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\.xXE906.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\.xXE927.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\.xXE937.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\.xXE977.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\.xXEA04.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXEE0D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXEE7B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXEFD4.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF004.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF024.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF034.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF064.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF085.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF0F3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF132.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF182.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF1D1.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF1E1.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF202.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF260.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF36B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF37C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF448.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF458.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF479.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF499.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF70B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF72B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF73C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF74C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF75D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF78D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF79D.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF7CD.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF84B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF8E9.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF918.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXF996.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFA05.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFA25.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFAB3.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFB11.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFB22.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFC4C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFCF9.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD09.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD39.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD4A.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD5B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD7B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD8B.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\.xXFD9C.tmp | path = \\?\C:\Program Files\Common Files\microsoft shared\Stationery, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xXFF62.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xXFF73.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX5E.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xXEC.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX1B8.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX207.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX237.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX2F3.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX41D.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX46C.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX49C.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\.xX4AD.tmp | path = \\?\C:\Program Files\Common Files\System\ado, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\ado\en-US\.xX4DD.tmp | path = \\?\C:\Program Files\Common Files\System\ado\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\en-US\.xX51C.tmp | path = \\?\C:\Program Files\Common Files\System\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\.xX53D.tmp | path = \\?\C:\Program Files\Common Files\System\msadc, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\.xX56C.tmp | path = \\?\C:\Program Files\Common Files\System\msadc, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\en-US\.xX6B6.tmp | path = \\?\C:\Program Files\Common Files\System\msadc\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\en-US\.xX791.tmp | path = \\?\C:\Program Files\Common Files\System\msadc\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\en-US\.xX81F.tmp | path = \\?\C:\Program Files\Common Files\System\msadc\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\en-US\.xX949.tmp | path = \\?\C:\Program Files\Common Files\System\msadc\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\msadc\en-US\.xX988.tmp | path = \\?\C:\Program Files\Common Files\System\msadc\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\.xX9D7.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\.xXA36.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\.xXAC4.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\.xXAD4.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\.xXB43.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\.xXBC1.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\.xXC6E.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB\en-US, prefix = .xX |
|
1 | |
| Create Temp File | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\.xXD88.tmp | path = \\?\C:\Program Files\Common Files\System\Ole DB\en-US, prefix = .xX |
|
1 | |
| Get Info | \\?\C:\hiberfil.sys.NMCRYPT | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\swapfile.sys.NMCRYPT | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | type = size, size_out = 23232 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml | type = size, size_out = 4136 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json | type = size, size_out = 63 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash | type = size, size_out = 102 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash | type = size, size_out = 102 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml | type = size, size_out = 4782 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml | type = size, size_out = 4450 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml | type = size, size_out = 791421 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml | type = size, size_out = 27045 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi | type = size, size_out = 1600388 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat | type = size, size_out = 46624 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat | type = size, size_out = 491472 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat | type = size, size_out = 1100592 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat | type = size, size_out = 2508448 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat | type = size, size_out = 3526176 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml | type = size, size_out = 2418 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml | type = size, size_out = 2592 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml | type = size, size_out = 2462 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml | type = size, size_out = 2436 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml | type = size, size_out = 2556 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml | type = size, size_out = 2514 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | type = size, size_out = 2616 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml | type = size, size_out = 2618 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml | type = size, size_out = 2578 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml | type = size, size_out = 3024 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml | type = size, size_out = 2658 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml | type = size, size_out = 2628 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml | type = size, size_out = 2532 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml | type = size, size_out = 2518 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | type = size, size_out = 2652 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | type = size, size_out = 2570 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml | type = size, size_out = 2526 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml | type = size, size_out = 2522 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml | type = size, size_out = 2568 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml | type = size, size_out = 2626 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml | type = size, size_out = 2580 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml | type = size, size_out = 2600 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml | type = size, size_out = 2246 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml | type = size, size_out = 2240 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml | type = size, size_out = 2644 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml | type = size, size_out = 2542 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | type = size, size_out = 2568 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml | type = size, size_out = 2596 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml | type = size, size_out = 2520 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | type = size, size_out = 2720 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi | type = size, size_out = 111320 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi | type = size, size_out = 48936 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi | type = size, size_out = 46622 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi | type = size, size_out = 84190 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi | type = size, size_out = 180172 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi | type = size, size_out = 208408 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui | type = size, size_out = 9216 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui | type = size, size_out = 5632 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui | type = size, size_out = 3584 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui | type = size, size_out = 23552 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui | type = size, size_out = 3584 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi | type = size, size_out = 199994 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | type = size, size_out = 9728 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui | type = size, size_out = 10752 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | type = size, size_out = 3584 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui | type = size, size_out = 3584 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui | type = size, size_out = 44544 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi | type = size, size_out = 181964 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui | type = size, size_out = 5632 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui | type = size, size_out = 3072 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui | type = size, size_out = 25600 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | type = size, size_out = 4096 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | type = size, size_out = 212 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml | type = size, size_out = 215 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml | type = size, size_out = 693 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml | type = size, size_out = 44506 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml | type = size, size_out = 221 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | type = size, size_out = 215 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml | type = size, size_out = 213 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | type = size, size_out = 219 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml | type = size, size_out = 215 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml | type = size, size_out = 591 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml | type = size, size_out = 1434 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml | type = size, size_out = 903 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml | type = size, size_out = 384 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml | type = size, size_out = 903 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml | type = size, size_out = 392 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml | type = size, size_out = 3333 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml | type = size, size_out = 247 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml | type = size, size_out = 3524 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml | type = size, size_out = 3529 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | type = size, size_out = 738 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml | type = size, size_out = 804 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml | type = size, size_out = 488 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml | type = size, size_out = 617 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | type = size, size_out = 16616 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml | type = size, size_out = 15097 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml | type = size, size_out = 9803 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | type = size, size_out = 11067 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml | type = size, size_out = 10947 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml | type = size, size_out = 737 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml | type = size, size_out = 471 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml | type = size, size_out = 1069 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | type = size, size_out = 1437 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml | type = size, size_out = 924 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | type = size, size_out = 694 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | type = size, size_out = 805 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml | type = size, size_out = 3823 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui | type = size, size_out = 7680 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui | type = size, size_out = 7168 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui | type = size, size_out = 7168 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml | type = size, size_out = 763 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | type = size, size_out = 8192 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui | type = size, size_out = 8704 |
|
1 | |
| Get Info | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui | type = file_attributes |
|
1 | |
| Move | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\.xXC747.tmp | source_filename = \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.NMCRYPT | size = 256 |
|
90 | |
| Write | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.NMCRYPT | size = 256 |
|
16 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\i641033.hash.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml.NMCRYPT | size = 256 |
|
18 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml.NMCRYPT | size = 176 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeUpdateSchedule.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.NMCRYPT | size = 256 |
|
17 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml.NMCRYPT | size = 256 |
|
105 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml.NMCRYPT | size = 176 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\Content.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.NMCRYPT | size = 256 |
|
182 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.NMCRYPT | size = 128 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.NMCRYPT | size = 96 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.NMCRYPT | size = 256 |
|
8 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.NMCRYPT | size = 256 |
|
8 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.NMCRYPT | size = 96 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.NMCRYPT | size = 176 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi.NMCRYPT | size = 256 |
|
191 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi.NMCRYPT | size = 256 |
|
182 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi.NMCRYPT | size = 256 |
|
250 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui.NMCRYPT | size = 256 |
|
35 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.NMCRYPT | size = 256 |
|
21 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui.NMCRYPT | size = 256 |
|
91 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.NMCRYPT | size = 256 |
|
37 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.NMCRYPT | size = 256 |
|
41 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.NMCRYPT | size = 256 |
|
173 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.NMCRYPT | size = 256 |
|
21 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.NMCRYPT | size = 256 |
|
99 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.NMCRYPT | size = 256 |
|
15 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.NMCRYPT | size = 192 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.NMCRYPT | size = 256 |
|
173 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.NMCRYPT | size = 256 |
|
5 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.NMCRYPT | size = 256 |
|
13 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.NMCRYPT | size = 256 |
|
64 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.NMCRYPT | size = 256 |
|
59 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.NMCRYPT | size = 256 |
|
38 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.NMCRYPT | size = 256 |
|
43 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.NMCRYPT | size = 256 |
|
42 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.NMCRYPT | size = 256 |
|
4 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.NMCRYPT | size = 256 |
|
5 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.NMCRYPT | size = 192 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.NMCRYPT | size = 48 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.NMCRYPT | size = 256 |
|
14 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.NMCRYPT | size = 256 |
|
29 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.NMCRYPT | size = 256 |
|
27 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
27 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml.NMCRYPT | size = 256 |
|
3 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.NMCRYPT | size = 256 |
|
33 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-HK\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.NMCRYPT | size = 256 |
|
117 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.NMCRYPT | size = 256 |
|
4 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Blue_Gradient.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif.NMCRYPT | size = 256 |
|
17 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Cave_Drawings.gif.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif.NMCRYPT | size = 256 |
|
9 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Connectivity.gif.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf.NMCRYPT | size = 256 |
|
14 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Dotted_Lines.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg.NMCRYPT | size = 256 |
|
93 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg.NMCRYPT | size = 64 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf.NMCRYPT | size = 256 |
|
21 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_1.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf.NMCRYPT | size = 256 |
|
40 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Genko_2.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Graph.emf.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(cm).wmf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf.NMCRYPT | size = 256 |
|
29 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\grid_(inch).wmf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg.NMCRYPT | size = 256 |
|
16 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg.NMCRYPT | size = 128 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Memo.emf.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg.NMCRYPT | size = 256 |
|
8 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg.NMCRYPT | size = 176 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Monet.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf.NMCRYPT | size = 256 |
|
16 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Month_Calendar.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf.NMCRYPT | size = 256 |
|
101 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf.NMCRYPT | size = 192 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Music.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Notebook.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg.NMCRYPT | size = 256 |
|
24 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg.NMCRYPT | size = 256 |
|
20 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg.NMCRYPT | size = 256 |
|
15 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pine_Lumber.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg.NMCRYPT | size = 256 |
|
20 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Pretty_Peacock.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg.NMCRYPT | size = 256 |
|
54 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Psychedelic.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg.NMCRYPT | size = 256 |
|
7 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg.NMCRYPT | size = 256 |
|
61 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg.NMCRYPT | size = 176 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Sand_Paper.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf.NMCRYPT | size = 256 |
|
145 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Seyes.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.NMCRYPT | size = 256 |
|
18 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.NMCRYPT | size = 128 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Shorthand.emf.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg.NMCRYPT | size = 256 |
|
7 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg.NMCRYPT | size = 208 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Small_News.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg.NMCRYPT | size = 256 |
|
41 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm.NMCRYPT | size = 240 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg.NMCRYPT | size = 256 |
|
29 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg.NMCRYPT | size = 96 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif.NMCRYPT | size = 256 |
|
7 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Stucco.gif.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg.NMCRYPT | size = 256 |
|
14 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tanspecks.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif.NMCRYPT | size = 256 |
|
18 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Tiki.gif.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf.NMCRYPT | size = 256 |
|
104 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\To_Do_List.emf.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg.NMCRYPT | size = 256 |
|
12 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\White_Chocolate.jpg.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif.NMCRYPT | size = 256 |
|
58 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif.NMCRYPT | size = 224 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\Stationery\Wrinkled_Paper.gif.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.NMCRYPT | size = 256 |
|
66 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.NMCRYPT | size = 256 |
|
88 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.NMCRYPT | size = 160 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\Services\verisign.bmp.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\Services\verisign.bmp.NMCRYPT | size = 256 |
|
10 | |
| Write | \\?\C:\Program Files\Common Files\Services\verisign.bmp.NMCRYPT | size = 144 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\Services\verisign.bmp.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc.NMCRYPT | size = 256 |
|
58 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc.NMCRYPT | size = 16 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adojavas.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc.NMCRYPT | size = 256 |
|
59 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc.NMCRYPT | size = 96 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\adovbs.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb.NMCRYPT | size = 256 |
|
199 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado20.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb.NMCRYPT | size = 256 |
|
211 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado21.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado25.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado25.tlb.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado26.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado26.tlb.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado27.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado27.tlb.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado28.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado28.tlb.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado60.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msado60.tlb.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb.NMCRYPT | size = 256 |
|
55 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadomd28.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb.NMCRYPT | size = 256 |
|
141 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msador28.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb.NMCRYPT | size = 256 |
|
97 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\msadox28.tlb.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.NMCRYPT | size = 256 |
|
71 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc.NMCRYPT | size = 128 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcjavas.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc.NMCRYPT | size = 256 |
|
2 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc.NMCRYPT | size = 112 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\adcvbs.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.NMCRYPT | size = 256 |
|
41 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.NMCRYPT | size = 256 |
|
57 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.NMCRYPT | size = 256 |
|
31 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.NMCRYPT | size = 256 |
|
38 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.NMCRYPT | size = 80 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.NMCRYPT | size = 256 |
|
39 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.NMCRYPT | size = 256 |
|
19 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.NMCRYPT | size = 256 |
|
25 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.NMCRYPT | size = 256 |
|
189 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.NMCRYPT | size = 256 |
|
173 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.NMCRYPT | size = 256 |
|
73 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.NMCRYPT | size = 272 |
|
1 | |
| Write | \\?\C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\AppXManifest.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\AppXManifest.xml.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml.NMCRYPT | size = 256 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\FileSystemMetadata.xml.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.HTM.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.HTM.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.VBS.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\OSPP.VBS.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\SLERROR.XML.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\SLERROR.XML.NMCRYPT | size = 256 |
|
142 | |
| Write | \\?\C:\Program Files\Microsoft Office\Office16\SLERROR.XML.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.NMCRYPT | size = 256 |
|
249 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF.NMCRYPT | size = 256 |
|
11 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF.NMCRYPT | size = 32 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00172_.WMF.NMCRYPT | size = 0 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00426_.WMF.NMCRYPT | size = 512 |
|
1 | |
| Write | \\?\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\HM00426_.WMF.NMCRYPT | size = 256 |
|
207 | |
|
For performance reasons, the remaining 2642 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | data = C:\Users\CIiHmnxMn6Ps\Desktop\scvhost.exe supermetroidrules, size = 120, type = REG_SZ |
|
1 |
Process (82)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x774, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x168, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb58, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb2c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x764, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x2d0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc2c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc6c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xca8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd10, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd50, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xda0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xddc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe18, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe6c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xeb0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xeec, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf20, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf54, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf88, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xfbc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xff0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc38, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc44, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xcc8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd48, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x300, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd7c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xdd4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xdb0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd18, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe24, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe2c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe98, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe74, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
2 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xec0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xef0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf48, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf38, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x560, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa58, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x960, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf6c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf9c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xfdc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xfc4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x1f4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe54, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc90, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb3c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc7c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xcd0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd44, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd84, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd64, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xdcc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x210, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x420, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe84, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xef8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe34, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x854, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x824, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xf68, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xfa0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xfc0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x9ec, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc1c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xc9c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x42c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe30, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd1c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd5c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xd60, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbf4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xe10, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | libgcc_s_dw2-1.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\msvcrt.dll | base_address = 0x77a10000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\scvhost.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | libgcc_s_dw2-1.dll | process_name = c:\users\ciihmnxmn6ps\desktop\scvhost.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\scvhost.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = ___lc_codepage_func, address_out = 0x77a651e0 |
|
1 |
System (511)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
508 | |
| Get Time | type = System Time, time = 2018-04-15 00:08:42 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 119093 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #2: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c wevtutil cl Application |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x774 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
764
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0460ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x0462ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x047bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x047c0000 | 0x0487dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04980000 | 0x04cb6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f960000 | 0x7f960000 | 0x7fa5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fa60000 | 0x7fa60000 | 0x7fa82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fa84000 | 0x7fa84000 | 0x7fa84fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa89000 | 0x7fa89000 | 0x7fa8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa8c000 | 0x7fa8c000 | 0x7fa8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa8f000 | 0x7fa8f000 | 0x7fa8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wevtutil.exe | os_pid = 0x670, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #4: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil cl Application |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:36 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x670 |
| Parent PID | 0x774 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
300
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wevtutil.exe | 0x00ac0000 | 0x00aeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x04aeffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04be0000 | 0x04c9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wevtapi.dll | 0x74a20000 | 0x74a6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fc70000 | 0x7fc70000 | 0x7fd6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fd70000 | 0x7fd70000 | 0x7fd92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fd96000 | 0x7fd96000 | 0x7fd98fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd99000 | 0x7fd99000 | 0x7fd99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd9a000 | 0x7fd9a000 | 0x7fd9cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd9d000 | 0x7fd9d000 | 0x7fd9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #5: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c wevtutil cl security |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x168 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
350
0x
2D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000260000 | 0x00260000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x0026ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00273fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x002a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04650000 | 0x0470dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x048a0000 | 0x04bd6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f4bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4c0000 | 0x7f4c0000 | 0x7f4e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4e3000 | 0x7f4e3000 | 0x7f4e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4e9000 | 0x7f4e9000 | 0x7f4ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ec000 | 0x7f4ec000 | 0x7f4eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ef000 | 0x7f4ef000 | 0x7f4effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wevtutil.exe | os_pid = 0x758, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #7: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil cl security |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x758 |
| Parent PID | 0x168 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B0C
0x
544
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00ac0000 | 0x00aeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x04ceffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d20000 | 0x04d20000 | 0x04d33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x0503ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f232fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f238000 | 0x7f238000 | 0x7f238fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f23b000 | 0x7f23b000 | 0x7f23dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f23e000 | 0x7f23e000 | 0x7f23efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #8: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c wevtutil cl setup |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9CC
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x04b9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004bd0000 | 0x04bd0000 | 0x04be3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04e20000 | 0x04eddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x050bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x051bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x052fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05300000 | 0x05636fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e520000 | 0x7e520000 | 0x7e61ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e620000 | 0x7e620000 | 0x7e642fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e647000 | 0x7e647000 | 0x7e649fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64a000 | 0x7e64a000 | 0x7e64afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64c000 | 0x7e64c000 | 0x7e64efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64f000 | 0x7e64f000 | 0x7e64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 249, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wevtutil.exe | os_pid = 0x9ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #10: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil cl setup |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F0
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00603fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wevtutil.exe | 0x00ac0000 | 0x00aeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x04aeffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fa70000 | 0x7fa70000 | 0x7fa92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fa98000 | 0x7fa98000 | 0x7fa9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa9b000 | 0x7fa9b000 | 0x7fa9bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa9e000 | 0x7fa9e000 | 0x7fa9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #11: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c wevtutil cl system |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb2c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6C8
0x
300
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x0014ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00300000 | 0x003bdfff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x044bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0474ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04750000 | 0x04a86fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f25ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f282fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f284000 | 0x7f284000 | 0x7f284fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f285000 | 0x7f285000 | 0x7f285fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f28a000 | 0x7f28a000 | 0x7f28cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f28d000 | 0x7f28d000 | 0x7f28ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 226, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wevtutil.exe | os_pid = 0xbd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #13: wevtutil.exe
0
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\wevtutil.exe |
| Command Line | wevtutil cl system |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0xb2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
488
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| wevtutil.exe | 0x00ac0000 | 0x00aeefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05000fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x05011fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050a0000 | 0x050a0000 | 0x050affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee1b000 | 0x7ee1b000 | 0x7ee1dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1e000 | 0x7ee1e000 | 0x7ee1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1f000 | 0x7ee1f000 | 0x7ee1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #14: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c vssadmin.exe Delete Shadows \/All \/Quiet |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x764 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
438
0x
838
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0496ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x0498ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004970000 | 0x04970000 | 0x0497ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04983fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04990fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04993fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049a0000 | 0x049a0000 | 0x049b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04afffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04b30000 | 0x04bedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0515ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05160000 | 0x05496fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f250000 | 0x7f250000 | 0x7f34ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f350000 | 0x7f350000 | 0x7f372fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f378000 | 0x7f378000 | 0x7f37afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f37b000 | 0x7f37b000 | 0x7f37bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f37c000 | 0x7f37c000 | 0x7f37cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f37d000 | 0x7f37d000 | 0x7f37ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Get Info | vssadmin.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\vssadmin.exe | os_pid = 0xb0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #16: vssadmin.exe
0
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\vssadmin.exe |
| Command Line | vssadmin.exe Delete Shadows \/All \/Quiet |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0c |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
53C
0x
350
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| vssadmin.exe | 0x00270000 | 0x0028dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x04abffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04adffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04acffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04ad3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04ae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| vssadmin.exe.mui | 0x04ae0000 | 0x04aecfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04b03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04beffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04bf0000 | 0x04cadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005000000 | 0x05000000 | 0x05187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005190000 | 0x05190000 | 0x05310fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005320000 | 0x05320000 | 0x0671ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vssapi.dll | 0x74910000 | 0x74a2afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vsstrace.dll | 0x74a30000 | 0x74a40fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x74a50000 | 0x74a67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f980000 | 0x7f980000 | 0x7fa7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fa80000 | 0x7fa80000 | 0x7faa2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007faa4000 | 0x7faa4000 | 0x7faa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faa7000 | 0x7faa7000 | 0x7faa7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faa8000 | 0x7faa8000 | 0x7faa8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faaa000 | 0x7faaa000 | 0x7faacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faad000 | 0x7faad000 | 0x7faaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #17: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2d0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
778
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x04d9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04daffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04de3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f51fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f60000 | 0x0501dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0512ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x053cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x053d0000 | 0x05706fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea56000 | 0x7ea56000 | 0x7ea58fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea59000 | 0x7ea59000 | 0x7ea5bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5c000 | 0x7ea5c000 | 0x7ea5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5f000 | 0x7ea5f000 | 0x7ea5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0x594, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = Firebird |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #19: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x594 |
| Parent PID | 0x2d0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9CC
0x
604
0x
9EC
0x
B58
0x
4D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00d60000 | 0x00d60fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d9ffff | Private Memory | - |
|
|
|
- |
| wmic.exe.mui | 0x00da0000 | 0x00daffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00eb0000 | 0x00f6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00fb0000 | 0x01098fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00fb0000 | 0x00fd9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01127fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0117ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x01194fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x011b0000 | 0x0128efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x012f8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x058affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000056b0000 | 0x056b0000 | 0x05837fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005840000 | 0x05840000 | 0x0587ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058a0000 | 0x058a0000 | 0x058affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058b0000 | 0x058b0000 | 0x05aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000058b0000 | 0x058b0000 | 0x05a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005a40000 | 0x05a40000 | 0x05a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005aa0000 | 0x05aa0000 | 0x05aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ab0000 | 0x05ab0000 | 0x05caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ab0000 | 0x05ab0000 | 0x05c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ab0000 | 0x05ab0000 | 0x05baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005c80000 | 0x05c80000 | 0x05c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005ca0000 | 0x05ca0000 | 0x05caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005cb0000 | 0x05cb0000 | 0x060affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000060b0000 | 0x060b0000 | 0x074affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f5fa000 | 0x7f5fa000 | 0x7f5fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5fd000 | 0x7f5fd000 | 0x7f5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f6fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f700000 | 0x7f700000 | 0x7f722fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f724000 | 0x7f724000 | 0x7f726fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f727000 | 0x7f727000 | 0x7f727fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f728000 | 0x7f728000 | 0x7f728fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f72a000 | 0x7f72a000 | 0x7f72cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f72d000 | 0x7f72d000 | 0x7f72ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%Firebird%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:08:52 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #20: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:39, Reason: RPC Server |
| Unmonitor | End Time: 00:01:44, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x378 |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
274
0x
518
0x
820
0x
B0
0x
B88
0x
A1C
0x
AF4
0x
8B8
0x
B68
0x
1F4
0x
42C
0x
65C
0x
BF4
0x
B44
0x
428
0x
450
0x
938
0x
310
0x
798
0x
878
0x
870
0x
784
0x
780
0x
754
0x
750
0x
740
0x
73C
0x
738
0x
734
0x
688
0x
730
0x
724
0x
71C
0x
70C
0x
708
0x
6F4
0x
6EC
0x
6D4
0x
6B4
0x
694
0x
680
0x
664
0x
650
0x
64C
0x
630
0x
628
0x
5F8
0x
5E4
0x
5CC
0x
5C4
0x
574
0x
558
0x
530
0x
4DC
0x
414
0x
118
0x
FC
0x
140
0x
1A0
0x
14C
0x
154
0x
130
0x
160
0x
F8
0x
3DC
0x
3D8
0x
3D0
0x
3CC
0x
3C8
0x
37C
0x
350
0x
CE0
0x
CE4
0x
CE8
0x
CEC
0x
CF0
0x
CF4
0x
CF8
0x
CFC
0x
E00
0x
E04
0x
4D0
0x
B58
0x
C70
0x
F04
0x
D6C
0x
DCC
0x
D54
0x
DA4
0x
DA0
0x
D64
0x
D7C
0x
DB4
0x
D60
0x
D74
0x
D68
0x
CB0
0x
D88
0x
D34
0x
DF0
0x
718
0x
9C8
0x
B00
0x
354
0x
E08
0x
E0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5e10000 | 0x51e5e10000 | 0x51e5e1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| svchost.exe.mui | 0x51e5e20000 | 0x51e5e20fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e5e30000 | 0x51e5e30000 | 0x51e5e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5e50000 | 0x51e5e50000 | 0x51e5ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ed0000 | 0x51e5ed0000 | 0x51e5ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e5ee0000 | 0x51e5ee0000 | 0x51e5ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e5ef0000 | 0x51e5ef0000 | 0x51e5ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x51e5f00000 | 0x51e5fbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e5fc0000 | 0x51e5fc0000 | 0x51e5fc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fd0000 | 0x51e5fd0000 | 0x51e5fd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e5fe0000 | 0x51e5fe0000 | 0x51e5fe0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e5ff0000 | 0x51e5ff0000 | 0x51e5ff0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e6000000 | 0x51e6000000 | 0x51e60fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6100000 | 0x51e6100000 | 0x51e617ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6180000 | 0x51e6180000 | 0x51e6180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6190000 | 0x51e6190000 | 0x51e6190fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e61a0000 | 0x51e61a0000 | 0x51e61a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e61b0000 | 0x51e61b0000 | 0x51e61b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x51e61c0000 | 0x51e61c3fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x51e61d0000 | 0x51e61d3fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e61e0000 | 0x51e61e0000 | 0x51e61e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| iphlpsvc.dll.mui | 0x51e61f0000 | 0x51e61fcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6200000 | 0x51e6200000 | 0x51e62fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6300000 | 0x51e6300000 | 0x51e6487fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6490000 | 0x51e6490000 | 0x51e6610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e6620000 | 0x51e6620000 | 0x51e66dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e66e0000 | 0x51e66e0000 | 0x51e675ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6760000 | 0x51e6760000 | 0x51e67dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e67e0000 | 0x51e67e0000 | 0x51e68dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e68e0000 | 0x51e68e0000 | 0x51e69dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e69e0000 | 0x51e69e0000 | 0x51e6adffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db | 0x51e6ae0000 | 0x51e6b22fff | Memory Mapped File | Readable |
|
|
|
- |
| propsys.dll.mui | 0x51e6b30000 | 0x51e6b40fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6b50000 | 0x51e6b50000 | 0x51e6b56fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e6b60000 | 0x51e6b60000 | 0x51e6bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e6be0000 | 0x51e6be0000 | 0x51e6be1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gpsvc.dll.mui | 0x51e6bf0000 | 0x51e6bfcfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e6c00000 | 0x51e6c00000 | 0x51e6cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x51e6d00000 | 0x51e7036fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7040000 | 0x51e7040000 | 0x51e713ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7140000 | 0x51e7140000 | 0x51e723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7240000 | 0x51e7240000 | 0x51e733ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7340000 | 0x51e7340000 | 0x51e743ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7440000 | 0x51e7440000 | 0x51e74bffff | Private Memory | Readable, Writable |
|
|
|
- |
| vsstrace.dll.mui | 0x51e74c0000 | 0x51e74c8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e74d0000 | 0x51e74d0000 | 0x51e74d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| activeds.dll.mui | 0x51e74e0000 | 0x51e74e1fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000051e74f0000 | 0x51e74f0000 | 0x51e74f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000051e7500000 | 0x51e7500000 | 0x51e75fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7600000 | 0x51e7600000 | 0x51e76fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7700000 | 0x51e7700000 | 0x51e777ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7780000 | 0x51e7780000 | 0x51e787ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7880000 | 0x51e7880000 | 0x51e797ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7980000 | 0x51e7980000 | 0x51e7a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7a80000 | 0x51e7a80000 | 0x51e7afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7b00000 | 0x51e7b00000 | 0x51e7bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x51e7c00000 | 0x51e7c8afff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e7c90000 | 0x51e7c90000 | 0x51e7d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7d90000 | 0x51e7d90000 | 0x51e7e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7e90000 | 0x51e7e90000 | 0x51e7f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e7f90000 | 0x51e7f90000 | 0x51e800ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8010000 | 0x51e8010000 | 0x51e8010fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8020000 | 0x51e8020000 | 0x51e8022fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000051e8030000 | 0x51e8030000 | 0x51e8030fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051e8040000 | 0x51e8040000 | 0x51e8040fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8050000 | 0x51e8050000 | 0x51e80cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e80d0000 | 0x51e80d0000 | 0x51e80e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| winnlsres.dll | 0x51e80f0000 | 0x51e80f4fff | Memory Mapped File | Readable |
|
|
|
- |
| usocore.dll.mui | 0x51e8100000 | 0x51e8100fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e8110000 | 0x51e8110000 | 0x51e820ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winnlsres.dll.mui | 0x51e8210000 | 0x51e821ffff | Memory Mapped File | Readable |
|
|
|
- |
| mswsock.dll.mui | 0x51e8220000 | 0x51e8222fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e8290000 | 0x51e8290000 | 0x51e838ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8390000 | 0x51e8390000 | 0x51e848ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8490000 | 0x51e8490000 | 0x51e850ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8600000 | 0x51e8600000 | 0x51e8606fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8630000 | 0x51e8630000 | 0x51e8636fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8700000 | 0x51e8700000 | 0x51e87fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8800000 | 0x51e8800000 | 0x51e88fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8900000 | 0x51e8900000 | 0x51e89fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8a80000 | 0x51e8a80000 | 0x51e8b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c00000 | 0x51e8c00000 | 0x51e8c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8c80000 | 0x51e8c80000 | 0x51e8d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8e00000 | 0x51e8e00000 | 0x51e8e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e8f00000 | 0x51e8f00000 | 0x51e8ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9000000 | 0x51e9000000 | 0x51e90fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9100000 | 0x51e9100000 | 0x51e917ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9180000 | 0x51e9180000 | 0x51e91fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9200000 | 0x51e9200000 | 0x51e92fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9300000 | 0x51e9300000 | 0x51e93fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9400000 | 0x51e9400000 | 0x51e94fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9500000 | 0x51e9500000 | 0x51e95fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9600000 | 0x51e9600000 | 0x51e96fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9700000 | 0x51e9700000 | 0x51e97fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9800000 | 0x51e9800000 | 0x51e98fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9900000 | 0x51e9900000 | 0x51e99fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9a00000 | 0x51e9a00000 | 0x51e9afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9b00000 | 0x51e9b00000 | 0x51e9bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9c00000 | 0x51e9c00000 | 0x51e9cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9d00000 | 0x51e9d00000 | 0x51e9dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051e9e00000 | 0x51e9e00000 | 0x51e9efffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x51e9f00000 | 0x51e9fdefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000051e9fe0000 | 0x51e9fe0000 | 0x51ea0dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea0e0000 | 0x51ea0e0000 | 0x51ea15ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea170000 | 0x51ea170000 | 0x51ea176fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea180000 | 0x51ea180000 | 0x51ea27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea300000 | 0x51ea300000 | 0x51ea3fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea400000 | 0x51ea400000 | 0x51ea4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea500000 | 0x51ea500000 | 0x51ea5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea600000 | 0x51ea600000 | 0x51ea6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea700000 | 0x51ea700000 | 0x51ea7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea800000 | 0x51ea800000 | 0x51ea8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051ea900000 | 0x51ea900000 | 0x51ea9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eaa00000 | 0x51eaa00000 | 0x51eaafffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eab00000 | 0x51eab00000 | 0x51eabfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eac00000 | 0x51eac00000 | 0x51eacfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000051ead00000 | 0x51ead00000 | 0x51eadfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eae00000 | 0x51eae00000 | 0x51eaefffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eaf00000 | 0x51eaf00000 | 0x51eaffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb000000 | 0x51eb000000 | 0x51eb0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb1d0000 | 0x51eb1d0000 | 0x51eb1d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb1e0000 | 0x51eb1e0000 | 0x51eb2dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb2e0000 | 0x51eb2e0000 | 0x51eb3dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb3e0000 | 0x51eb3e0000 | 0x51eb4dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb4e0000 | 0x51eb4e0000 | 0x51eb5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb5e0000 | 0x51eb5e0000 | 0x51eb6dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb6e0000 | 0x51eb6e0000 | 0x51eb7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb7e0000 | 0x51eb7e0000 | 0x51eb8dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb8e0000 | 0x51eb8e0000 | 0x51eb9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000051eb9e0000 | 0x51eb9e0000 | 0x51ebadffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ffdb0000 | 0x7df5ffdb0000 | 0x7ff5ffdaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7b3ab0000 | 0x7ff7b3ab0000 | 0x7ff7b3ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab2000 | 0x7ff7b3ab2000 | 0x7ff7b3ab3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab4000 | 0x7ff7b3ab4000 | 0x7ff7b3ab5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab6000 | 0x7ff7b3ab6000 | 0x7ff7b3ab7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ab8000 | 0x7ff7b3ab8000 | 0x7ff7b3ab9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aba000 | 0x7ff7b3aba000 | 0x7ff7b3abbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3abc000 | 0x7ff7b3abc000 | 0x7ff7b3abdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3abe000 | 0x7ff7b3abe000 | 0x7ff7b3abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac0000 | 0x7ff7b3ac0000 | 0x7ff7b3ac1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac2000 | 0x7ff7b3ac2000 | 0x7ff7b3ac3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac4000 | 0x7ff7b3ac4000 | 0x7ff7b3ac5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac6000 | 0x7ff7b3ac6000 | 0x7ff7b3ac7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ac8000 | 0x7ff7b3ac8000 | 0x7ff7b3ac9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3aca000 | 0x7ff7b3aca000 | 0x7ff7b3acbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3acc000 | 0x7ff7b3acc000 | 0x7ff7b3acdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ace000 | 0x7ff7b3ace000 | 0x7ff7b3acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad0000 | 0x7ff7b3ad0000 | 0x7ff7b3ad1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7b3ad2000 | 0x7ff7b3ad2000 | 0x7ff7b3ad3fff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 326 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #22: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc2c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C30
0x
C44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x04423fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x0446ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x0456ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004570000 | 0x04570000 | 0x04570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x04581fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0468ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x046effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x046f0000 | 0x047adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049effff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x049f0000 | 0x04d26fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ebe6000 | 0x7ebe6000 | 0x7ebe6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebe9000 | 0x7ebe9000 | 0x7ebebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebec000 | 0x7ebec000 | 0x7ebeefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebef000 | 0x7ebef000 | 0x7ebeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xc48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = MSSQL |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #24: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:43, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc48 |
| Parent PID | 0xc2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C4C
0x
C5C
0x
C60
0x
C64
0x
C68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000980000 | 0x00980000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0098ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ae0000 | 0x00b9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00c00000 | 0x00c00fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c2ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00c30000 | 0x00c59fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00c30000 | 0x00c3ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00db0000 | 0x00e98fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e64fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f38fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00f50000 | 0x01286fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0550ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x05370000 | 0x0544efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0550ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005510000 | 0x05510000 | 0x056bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005510000 | 0x05510000 | 0x05697fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x056bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000056c0000 | 0x056c0000 | 0x05abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005ac0000 | 0x05ac0000 | 0x05c40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005c50000 | 0x05c50000 | 0x0704ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000007050000 | 0x07050000 | 0x07107fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000007110000 | 0x07110000 | 0x0720ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e92ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7e952fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e954000 | 0x7e954000 | 0x7e956fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e957000 | 0x7e957000 | 0x7e959fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95a000 | 0x7e95a000 | 0x7e95afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95c000 | 0x7e95c000 | 0x7e95efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95f000 | 0x7e95f000 | 0x7e95ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%MSSQL%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:08:56 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #25: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc6c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C70
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x04b1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b41fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04ce0000 | 0x04d9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x050bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051e0000 | 0x051e0000 | 0x051effff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x051f0000 | 0x05526fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7ebdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebe0000 | 0x7ebe0000 | 0x7ec02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec04000 | 0x7ec04000 | 0x7ec04fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec06000 | 0x7ec06000 | 0x7ec06fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec0a000 | 0x7ec0a000 | 0x7ec0cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec0d000 | 0x7ec0d000 | 0x7ec0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xc8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SQL |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #27: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc8c |
| Parent PID | 0xc6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
0x
C98
0x
C9C
0x
CA0
0x
CA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00cc0000 | 0x00cc0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ce0000 | 0x00d9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00dfffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00e00000 | 0x00e29fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00e00000 | 0x00e0ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00f40000 | 0x01028fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fe4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x010b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x011b0000 | 0x0128efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x05aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005ab0000 | 0x05ab0000 | 0x05c37fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005c40000 | 0x05c40000 | 0x05dc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005dd0000 | 0x05dd0000 | 0x071cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000071d0000 | 0x071d0000 | 0x072fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000071d0000 | 0x071d0000 | 0x072cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000072f0000 | 0x072f0000 | 0x072fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007300000 | 0x07300000 | 0x07328fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f4f7000 | 0x7f4f7000 | 0x7f4f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4fa000 | 0x7f4fa000 | 0x7f4fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4fd000 | 0x7f4fd000 | 0x7f4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f5fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f625000 | 0x7f625000 | 0x7f627fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f628000 | 0x7f628000 | 0x7f628fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f62b000 | 0x7f62b000 | 0x7f62dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f62e000 | 0x7f62e000 | 0x7f62efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SQL%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:08:57 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #28: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca8 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CAC
0x
CC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x04f0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x050d0000 | 0x0518dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x05193fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x054dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x054e0000 | 0x05816fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e590000 | 0x7e590000 | 0x7e68ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e690000 | 0x7e690000 | 0x7e6b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e6b5000 | 0x7e6b5000 | 0x7e6b7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6b8000 | 0x7e6b8000 | 0x7e6bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6bb000 | 0x7e6bb000 | 0x7e6bbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6be000 | 0x7e6be000 | 0x7e6befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xcc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = Exchange |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #30: wmic.exe
16
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc4 |
| Parent PID | 0xca8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC8
0x
CCC
0x
CD0
0x
CD4
0x
CD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000450000 | 0x00450000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0045ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00470fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00493fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00523fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x005c0000 | 0x005c0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006e0000 | 0x0079dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007fffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00800000 | 0x00829fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00800000 | 0x0080ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00810fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00820fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00830fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00890000 | 0x00bc6fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x00bd0000 | 0x00cb8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c64fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00cd0000 | 0x00daefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00f97fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x01237fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001240000 | 0x01240000 | 0x01268fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x06b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006d20000 | 0x06d20000 | 0x06d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f567000 | 0x7f567000 | 0x7f569fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f56a000 | 0x7f56a000 | 0x7f56cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f56d000 | 0x7f56d000 | 0x7f56ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f66ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f692fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f694000 | 0x7f694000 | 0x7f694fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f697000 | 0x7f697000 | 0x7f697fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69a000 | 0x7f69a000 | 0x7f69cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69d000 | 0x7f69d000 | 0x7f69ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%Exchange%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Unknown | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:08:58 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #31: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd10 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
0x
D30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x04faffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x04fd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04ff3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005140000 | 0x05140000 | 0x05143fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005150000 | 0x05150000 | 0x05150fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x05161fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05170000 | 0x0522dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0526ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005320000 | 0x05320000 | 0x0541ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005420000 | 0x05420000 | 0x0551ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005630000 | 0x05630000 | 0x0563ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05640000 | 0x05976fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f4bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4c0000 | 0x7f4c0000 | 0x7f4e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4e6000 | 0x7f4e6000 | 0x7f4e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4e9000 | 0x7f4e9000 | 0x7f4e9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ec000 | 0x7f4ec000 | 0x7f4eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ef000 | 0x7f4ef000 | 0x7f4effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xd34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = wsbex |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #33: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd34 |
| Parent PID | 0xd10 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
D3C
0x
D40
0x
D44
0x
D48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000880000 | 0x00880000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00980000 | 0x00a3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00af0000 | 0x00af0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe.mui | 0x00b20000 | 0x00b2ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00b70000 | 0x00b99fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bc4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bd8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00cf0000 | 0x01026fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x01030000 | 0x01118fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x010e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x01110000 | 0x011eefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x012effff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x058f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005900000 | 0x05900000 | 0x05a80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005a90000 | 0x05a90000 | 0x06e8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006e90000 | 0x06e90000 | 0x06ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006ed0000 | 0x06ed0000 | 0x06f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f10000 | 0x06f10000 | 0x06f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f50000 | 0x06f50000 | 0x06f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f90000 | 0x06f90000 | 0x06fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006fd0000 | 0x06fd0000 | 0x0700ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efca000 | 0x7efca000 | 0x7efccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efcd000 | 0x7efcd000 | 0x7efcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7f0cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0f3000 | 0x7f0f3000 | 0x7f0f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f4000 | 0x7f0f4000 | 0x7f0f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fa000 | 0x7f0fa000 | 0x7f0fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%wsbex%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:08:59 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #34: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd50 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D54
0x
D68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x04f5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f90000 | 0x04f90000 | 0x04fa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050f0000 | 0x050f0000 | 0x050f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05100fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x05111fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05120000 | 0x051ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005210000 | 0x05210000 | 0x0521ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0525ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x054dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005610000 | 0x05610000 | 0x0561ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05620000 | 0x05956fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f1cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f1f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1f7000 | 0x7f1f7000 | 0x7f1f7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1f9000 | 0x7f1f9000 | 0x7f1fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1fc000 | 0x7f1fc000 | 0x7f1fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1fd000 | 0x7f1fd000 | 0x7f1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 101, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xd6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = postgresql |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #36: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd6c |
| Parent PID | 0xd50 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D70
0x
D74
0x
D78
0x
D7C
0x
D80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c80000 | 0x00c80000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d71fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00df0000 | 0x00df0fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00e00000 | 0x00e0ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f20000 | 0x00fddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x01020000 | 0x01108fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x010bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0103ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x01040000 | 0x01069fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01040fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01050fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01063fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0128ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x01160000 | 0x0123efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0127ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001280000 | 0x01280000 | 0x0128ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x012a4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x0589ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000056b0000 | 0x056b0000 | 0x05837fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005840000 | 0x05840000 | 0x0587ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005890000 | 0x05890000 | 0x0589ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058a0000 | 0x058a0000 | 0x05c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005ca0000 | 0x05ca0000 | 0x05e20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005e30000 | 0x05e30000 | 0x0722ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000007230000 | 0x07230000 | 0x073bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007230000 | 0x07230000 | 0x072e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000072f0000 | 0x072f0000 | 0x07318fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000073b0000 | 0x073b0000 | 0x073bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000073c0000 | 0x073c0000 | 0x074bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ed6a000 | 0x7ed6a000 | 0x7ed6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed6d000 | 0x7ed6d000 | 0x7ed6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ee6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ee92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee94000 | 0x7ee94000 | 0x7ee96fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee97000 | 0x7ee97000 | 0x7ee99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee9a000 | 0x7ee9a000 | 0x7ee9cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee9d000 | 0x7ee9d000 | 0x7ee9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee9f000 | 0x7ee9f000 | 0x7ee9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%postgresql%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:01 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #37: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA4
0x
DBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x044cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044d0000 | 0x044d0000 | 0x044dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004500000 | 0x04500000 | 0x04513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0455ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004660000 | 0x04660000 | 0x04663fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04681fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0474ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x048a0000 | 0x0495dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a60000 | 0x04d96fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e860000 | 0x7e860000 | 0x7e95ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7e982fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e986000 | 0x7e986000 | 0x7e986fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e988000 | 0x7e988000 | 0x7e98afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e98b000 | 0x7e98b000 | 0x7e98dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e98e000 | 0x7e98e000 | 0x7e98efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xdc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = BACKP |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #39: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdc0 |
| Parent PID | 0xda0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC4
0x
DC8
0x
DCC
0x
DD0
0x
DD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b51fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00c80000 | 0x00c80fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00cc0000 | 0x00d7dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00e00000 | 0x01136fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x01140000 | 0x01228fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0123ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x01140000 | 0x0121efff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x01220000 | 0x0122ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0125ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x01260000 | 0x01289fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x01260fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x01270fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x01283fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0555ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0553ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x0555ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x0595ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005960000 | 0x05960000 | 0x05ae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005af0000 | 0x05af0000 | 0x06eeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006ef0000 | 0x06ef0000 | 0x0709ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006ef0000 | 0x06ef0000 | 0x06fa7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006fb0000 | 0x06fb0000 | 0x06feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006ff0000 | 0x06ff0000 | 0x0702ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007030000 | 0x07030000 | 0x0706ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007070000 | 0x07070000 | 0x07084fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007090000 | 0x07090000 | 0x0709ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000070a0000 | 0x070a0000 | 0x0719ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000071a0000 | 0x071a0000 | 0x071dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000071e0000 | 0x071e0000 | 0x07208fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007dfe7000 | 0x7dfe7000 | 0x7dfe9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007dfea000 | 0x7dfea000 | 0x7dfecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007dfed000 | 0x7dfed000 | 0x7dfeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007dff0000 | 0x7dff0000 | 0x7e0effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e0f0000 | 0x7e0f0000 | 0x7e112fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e114000 | 0x7e114000 | 0x7e114fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e117000 | 0x7e117000 | 0x7e119fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e11a000 | 0x7e11a000 | 0x7e11cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e11d000 | 0x7e11d000 | 0x7e11dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%BACKP%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:02 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #40: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xddc |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE0
0x
DF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x049effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a11fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04ba1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04cd0000 | 0x04d8dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0507ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05080000 | 0x053b6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7f0affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f0d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0d6000 | 0x7f0d6000 | 0x7f0d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0d9000 | 0x7f0d9000 | 0x7f0d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0db000 | 0x7f0db000 | 0x7f0dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0dd000 | 0x7f0dd000 | 0x7f0dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xdf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = tomcat |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #42: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdf8 |
| Parent PID | 0xddc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DFC
0x
E08
0x
E0C
0x
E10
0x
E14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00ce3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00da0000 | 0x00e5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00f00000 | 0x00f00fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f2ffff | Private Memory | - |
|
|
|
- |
| wmic.exe.mui | 0x00f30000 | 0x00f3ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00f60000 | 0x01048fff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x00f60000 | 0x0103efff | Memory Mapped File | Readable |
|
|
|
- |
| imm32.dll | 0x01040000 | 0x01069fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01040fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01247fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0128ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x012a4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x057fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x057affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057b0000 | 0x057b0000 | 0x057effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x057fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005800000 | 0x05800000 | 0x0595ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005800000 | 0x05800000 | 0x0583ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005840000 | 0x05840000 | 0x0587ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005880000 | 0x05880000 | 0x058bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058c0000 | 0x058c0000 | 0x058fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005900000 | 0x05900000 | 0x05928fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x0595ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005960000 | 0x05960000 | 0x05d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005d60000 | 0x05d60000 | 0x05ee7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005ef0000 | 0x05ef0000 | 0x06070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000006080000 | 0x06080000 | 0x0747ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000007480000 | 0x07480000 | 0x075dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f467000 | 0x7f467000 | 0x7f469fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f46a000 | 0x7f46a000 | 0x7f46cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f46d000 | 0x7f46d000 | 0x7f46ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f56ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f592fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f594000 | 0x7f594000 | 0x7f594fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f597000 | 0x7f597000 | 0x7f599fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59a000 | 0x7f59a000 | 0x7f59afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59d000 | 0x7f59d000 | 0x7f59ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%tomcat%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:03 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #43: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe18 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E1C
0x
E30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x0466ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0468ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x0467ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04683fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04691fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04693fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x047fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04803fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004810000 | 0x04810000 | 0x04810fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04821fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04830000 | 0x048edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x0492ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0496ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x04a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04c50000 | 0x04f86fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f56ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f592fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f597000 | 0x7f597000 | 0x7f599fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59a000 | 0x7f59a000 | 0x7f59afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59c000 | 0x7f59c000 | 0x7f59cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59d000 | 0x7f59d000 | 0x7f59ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xe34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SharePoint |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #45: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe34 |
| Parent PID | 0xe18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E38
0x
E3C
0x
E44
0x
E48
0x
E4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001a0000 | 0x001a0000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ole32.dll | 0x00500000 | 0x005e8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00503fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00510000 | 0x00510fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00540000 | 0x00569fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00540000 | 0x0054ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00550fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00573fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00594fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005d8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x006a0000 | 0x009d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x009e0000 | 0x00abefff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00b77fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00d17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00ef0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x06b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ecaa000 | 0x7ecaa000 | 0x7ecacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecad000 | 0x7ecad000 | 0x7ecaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edd5000 | 0x7edd5000 | 0x7edd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edd8000 | 0x7edd8000 | 0x7edd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7eddbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eddc000 | 0x7eddc000 | 0x7eddefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eddf000 | 0x7eddf000 | 0x7eddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SharePoint%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:04 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #46: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe6c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E70
0x
E84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04431fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045d0000 | 0x0468dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0483ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x0499ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04b20000 | 0x04e56fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e863000 | 0x7e863000 | 0x7e863fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e869000 | 0x7e869000 | 0x7e86bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86c000 | 0x7e86c000 | 0x7e86efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86f000 | 0x7e86f000 | 0x7e86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xe88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SBS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #48: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe88 |
| Parent PID | 0xe6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E8C
0x
E90
0x
E94
0x
E98
0x
E9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002a0000 | 0x002a0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00373fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00391fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x003f0000 | 0x004adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00503fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00510000 | 0x00510fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0054ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00550000 | 0x00579fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00550000 | 0x0055ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00560fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00570fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00690000 | 0x00778fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00690fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00734fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x007d0000 | 0x00b06fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00b10000 | 0x00beefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x0107ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01207fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x012c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x012f8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005500000 | 0x05500000 | 0x068fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006900000 | 0x06900000 | 0x06a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006900000 | 0x06900000 | 0x069fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006a10000 | 0x06a10000 | 0x06a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006a20000 | 0x06a20000 | 0x06a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f6fa000 | 0x7f6fa000 | 0x7f6fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6fd000 | 0x7f6fd000 | 0x7f6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f700000 | 0x7f700000 | 0x7f7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f824000 | 0x7f824000 | 0x7f826fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f827000 | 0x7f827000 | 0x7f829fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f82a000 | 0x7f82a000 | 0x7f82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f82d000 | 0x7f82d000 | 0x7f82dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f82f000 | 0x7f82f000 | 0x7f82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SBS%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:05 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #49: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB4
0x
ED0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0493ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0495ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004940000 | 0x04940000 | 0x0494ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x04953fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04961fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04963fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004970000 | 0x04970000 | 0x04983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x049cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ad0000 | 0x04ad0000 | 0x04ad3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04d50000 | 0x04e0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0503ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05040000 | 0x05376fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e92ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7e952fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e954000 | 0x7e954000 | 0x7e954fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e959000 | 0x7e959000 | 0x7e95bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95c000 | 0x7e95c000 | 0x7e95efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95f000 | 0x7e95f000 | 0x7e95ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = Firebird |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #51: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xeb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED8
0x
EDC
0x
EE0
0x
EE4
0x
EE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000440000 | 0x00440000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0044ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00453fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00540000 | 0x005fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00693fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x006a0000 | 0x006a0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | - |
|
|
|
- |
| wmic.exe.mui | 0x006d0000 | 0x006dffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00700000 | 0x007e8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00700000 | 0x00729fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00700fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007e8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x009e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00ae0000 | 0x00e16fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00e20000 | 0x00efefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x01147fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x012d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x06b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006cd0000 | 0x06cd0000 | 0x06cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ec5a000 | 0x7ec5a000 | 0x7ec5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec5d000 | 0x7ec5d000 | 0x7ec5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ed5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ed82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed83000 | 0x7ed83000 | 0x7ed85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed86000 | 0x7ed86000 | 0x7ed88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed89000 | 0x7ed89000 | 0x7ed89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed8c000 | 0x7ed8c000 | 0x7ed8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed8f000 | 0x7ed8f000 | 0x7ed8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%Firebird%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:06 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #52: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeec |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EF0
0x
F04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x04acffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ad0000 | 0x04ad0000 | 0x04adffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04ae3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004c70000 | 0x04c70000 | 0x04c70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04d50000 | 0x04e0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x052d0000 | 0x05606fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e250000 | 0x7e250000 | 0x7e34ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e350000 | 0x7e350000 | 0x7e372fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e375000 | 0x7e375000 | 0x7e375fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e379000 | 0x7e379000 | 0x7e37bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e37c000 | 0x7e37c000 | 0x7e37cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e37d000 | 0x7e37d000 | 0x7e37ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xf08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = MSSQL |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #54: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0xeec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F0C
0x
F10
0x
F14
0x
F18
0x
F1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009f0000 | 0x009f0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b60000 | 0x00c1dfff | Memory Mapped File | Readable |
|
|
|
- |
| msxml3r.dll | 0x00c20000 | 0x00c20fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d8ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00da0000 | 0x010d6fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x010e0000 | 0x011c8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0115ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x010e0000 | 0x01109fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x010e0000 | 0x010effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x01100fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01113fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x01144fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x01200000 | 0x012defff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x054affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0548ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x05427fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005430000 | 0x05430000 | 0x0546ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0548ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000054a0000 | 0x054a0000 | 0x054affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000054b0000 | 0x054b0000 | 0x058affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000058b0000 | 0x058b0000 | 0x05a37fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005a40000 | 0x05a40000 | 0x05bc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005bd0000 | 0x05bd0000 | 0x06fcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006fd0000 | 0x06fd0000 | 0x070cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000070d0000 | 0x070d0000 | 0x0710ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007110000 | 0x07110000 | 0x0714ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007150000 | 0x07150000 | 0x0718ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007190000 | 0x07190000 | 0x071b8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f6ba000 | 0x7f6ba000 | 0x7f6bcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6bd000 | 0x7f6bd000 | 0x7f6bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f7bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7c0000 | 0x7f7c0000 | 0x7f7e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7e5000 | 0x7f7e5000 | 0x7f7e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7e6000 | 0x7f7e6000 | 0x7f7e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7e9000 | 0x7f7e9000 | 0x7f7ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ec000 | 0x7f7ec000 | 0x7f7ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ed000 | 0x7f7ed000 | 0x7f7effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%MSSQL%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:07 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #55: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf20 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F24
0x
F38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00353fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004510000 | 0x04510000 | 0x04513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x04520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04531fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04540000 | 0x045fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0463ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x0475ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0479ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x0492ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04930000 | 0x04c66fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f9affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7f9d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f9d8000 | 0x7f9d8000 | 0x7f9d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9d9000 | 0x7f9d9000 | 0x7f9dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9dc000 | 0x7f9dc000 | 0x7f9defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9df000 | 0x7f9df000 | 0x7f9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 83, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xf3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SQL |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #57: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf3c |
| Parent PID | 0xf20 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F40
0x
F44
0x
F48
0x
F4C
0x
F50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x0043ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00473fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00683fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x006a0000 | 0x006a0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x006d0000 | 0x006f9fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x006d0000 | 0x006dffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00724fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00880000 | 0x00bb6fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x00bc0000 | 0x00ca8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00d20000 | 0x00dfefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00efffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00eb7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ee8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x01097fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x01220fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0126ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x06b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006b70000 | 0x06b70000 | 0x06c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e51a000 | 0x7e51a000 | 0x7e51cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e51d000 | 0x7e51d000 | 0x7e51ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e520000 | 0x7e520000 | 0x7e61ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e620000 | 0x7e620000 | 0x7e642fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e643000 | 0x7e643000 | 0x7e645fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e646000 | 0x7e646000 | 0x7e646fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e649000 | 0x7e649000 | 0x7e64bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64c000 | 0x7e64c000 | 0x7e64efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64f000 | 0x7e64f000 | 0x7e64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SQL%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:08 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #58: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf54 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F58
0x
F6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00363fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004510000 | 0x04510000 | 0x04510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04521fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x0456ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x045dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045e0000 | 0x0469dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0479ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x049fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a00000 | 0x04d36fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6a6000 | 0x7f6a6000 | 0x7f6a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6a8000 | 0x7f6a8000 | 0x7f6aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ab000 | 0x7f6ab000 | 0x7f6abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ad000 | 0x7f6ad000 | 0x7f6affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xf70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = Exchange |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #60: wmic.exe
16
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf70 |
| Parent PID | 0xf54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F74
0x
F78
0x
F7C
0x
F80
0x
F84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00ea0000 | 0x00ea0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00ecffff | Private Memory | - |
|
|
|
- |
| wmic.exe.mui | 0x00ed0000 | 0x00edffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ff0000 | 0x010adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x010b0000 | 0x010d9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010e4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010f8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0115ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x01160000 | 0x01248fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0120ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x011cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001210000 | 0x01210000 | 0x012c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x056b0000 | 0x0578efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005790000 | 0x05790000 | 0x05b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005b90000 | 0x05b90000 | 0x05d17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005d20000 | 0x05d20000 | 0x05ea0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005eb0000 | 0x05eb0000 | 0x072affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000072b0000 | 0x072b0000 | 0x073affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000072b0000 | 0x072b0000 | 0x072effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000072f0000 | 0x072f0000 | 0x0732ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007330000 | 0x07330000 | 0x0736ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000073a0000 | 0x073a0000 | 0x073affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000073b0000 | 0x073b0000 | 0x074affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000074b0000 | 0x074b0000 | 0x074effff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efca000 | 0x7efca000 | 0x7efccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efcd000 | 0x7efcd000 | 0x7efcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7f0cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0f3000 | 0x7f0f3000 | 0x7f0f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f6000 | 0x7f0f6000 | 0x7f0f8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f9000 | 0x7f0f9000 | 0x7f0f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fc000 | 0x7f0fc000 | 0x7f0fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%Exchange%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Unknown | - |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:09 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #61: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf88 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F8C
0x
FA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x047effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047f0000 | 0x047f0000 | 0x047fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x04803fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04811fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04813fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004820000 | 0x04820000 | 0x04833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0487ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004990000 | 0x04990000 | 0x04990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x049b0000 | 0x04a6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04ed0000 | 0x05206fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007dfc0000 | 0x7dfc0000 | 0x7e0bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e0c0000 | 0x7e0c0000 | 0x7e0e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e0e5000 | 0x7e0e5000 | 0x7e0e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e0e7000 | 0x7e0e7000 | 0x7e0e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e0ea000 | 0x7e0ea000 | 0x7e0ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e0ed000 | 0x7e0ed000 | 0x7e0effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xfa4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = wsbex |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #63: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa4 |
| Parent PID | 0xf88 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
FAC
0x
FB0
0x
FB4
0x
FB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000760000 | 0x00760000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x0076ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00773fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00781fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x007a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00840fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00860000 | 0x0091dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x009e0000 | 0x009e0fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x009f0000 | 0x009fffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00b00000 | 0x00e36fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x00e40000 | 0x00f28fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00e80000 | 0x00ea9fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e80fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00eb4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x010fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00f70000 | 0x0104efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x012b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x058f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005900000 | 0x05900000 | 0x06cfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006d00000 | 0x06d00000 | 0x06dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006d00000 | 0x06d00000 | 0x06db7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006dc0000 | 0x06dc0000 | 0x06dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006dd0000 | 0x06dd0000 | 0x06ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006ed0000 | 0x06ed0000 | 0x06f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000006f10000 | 0x06f10000 | 0x06f38fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e95a000 | 0x7e95a000 | 0x7e95cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e95d000 | 0x7e95d000 | 0x7e95ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7ea5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7ea82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea83000 | 0x7ea83000 | 0x7ea85fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea86000 | 0x7ea86000 | 0x7ea86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea89000 | 0x7ea89000 | 0x7ea8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea8c000 | 0x7ea8c000 | 0x7ea8cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea8d000 | 0x7ea8d000 | 0x7ea8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%wsbex%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:10 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #64: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC0
0x
FD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x04423fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x0446ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x0456ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004570000 | 0x04570000 | 0x04570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004580000 | 0x04580000 | 0x04581fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x04593fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045c0000 | 0x0467dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0483ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04940000 | 0x04c76fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ecaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7ecd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ecd4000 | 0x7ecd4000 | 0x7ecd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecd9000 | 0x7ecd9000 | 0x7ecdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecdc000 | 0x7ecdc000 | 0x7ecdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecdf000 | 0x7ecdf000 | 0x7ecdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xfd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = postgresql |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #66: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd8 |
| Parent PID | 0xfbc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FDC
0x
FE0
0x
FE4
0x
FE8
0x
FEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000140000 | 0x00140000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x0014ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00183fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00270000 | 0x00270fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x003a0000 | 0x0045dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x004e0000 | 0x005c8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x004e0000 | 0x00509fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x004e0000 | 0x004effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00634fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00648fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00660000 | 0x00996fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x009a0000 | 0x00a7efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00ce7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001140000 | 0x01140000 | 0x012c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x0676ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000006770000 | 0x06770000 | 0x06827fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006830000 | 0x06830000 | 0x0692ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ecba000 | 0x7ecba000 | 0x7ecbcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecbd000 | 0x7ecbd000 | 0x7ecbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7edbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7ede2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ede3000 | 0x7ede3000 | 0x7ede3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ede4000 | 0x7ede4000 | 0x7ede6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ede7000 | 0x7ede7000 | 0x7ede9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edea000 | 0x7edea000 | 0x7edeafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eded000 | 0x7eded000 | 0x7edeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%postgresql%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:11 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #67: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF4
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00113fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00123fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00143fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0039dfff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0468ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x047c0000 | 0x04af6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e8cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e8f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e8f6000 | 0x7e8f6000 | 0x7e8f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8f7000 | 0x7e8f7000 | 0x7e8f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8fa000 | 0x7e8fa000 | 0x7e8fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8fd000 | 0x7e8fd000 | 0x7e8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0x9ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = BACKP |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #69: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0xff0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9CC
0x
F0
0x
778
0x
8BC
0x
168
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e00000 | 0x00e00000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e21fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x0109ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010a0000 | 0x0115dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01163fff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x01170000 | 0x01170fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x0119ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x011a0000 | 0x011c9fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x011a0000 | 0x011affff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x011f0000 | 0x012d8fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x0127ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0126ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x0127ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001280000 | 0x01280000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| sortdefault.nls | 0x05370000 | 0x056a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000056b0000 | 0x056b0000 | 0x057effff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x056b0000 | 0x0578efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005790000 | 0x05790000 | 0x057cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057e0000 | 0x057e0000 | 0x057effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x059bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x059affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x0595ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x0588ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x0582ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005830000 | 0x05830000 | 0x05844fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005830000 | 0x05830000 | 0x05858fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005880000 | 0x05880000 | 0x0588ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005890000 | 0x05890000 | 0x05947fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005950000 | 0x05950000 | 0x0595ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000059a0000 | 0x059a0000 | 0x059affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000059b0000 | 0x059b0000 | 0x059bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000059c0000 | 0x059c0000 | 0x05dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005dc0000 | 0x05dc0000 | 0x05f47fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005f50000 | 0x05f50000 | 0x060d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000060e0000 | 0x060e0000 | 0x074dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000074e0000 | 0x074e0000 | 0x075dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007fb1a000 | 0x7fb1a000 | 0x7fb1cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fb1d000 | 0x7fb1d000 | 0x7fb1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007fb20000 | 0x7fb20000 | 0x7fc1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fc20000 | 0x7fc20000 | 0x7fc42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fc43000 | 0x7fc43000 | 0x7fc45fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fc46000 | 0x7fc46000 | 0x7fc48fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fc49000 | 0x7fc49000 | 0x7fc4bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fc4c000 | 0x7fc4c000 | 0x7fc4cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fc4f000 | 0x7fc4f000 | 0x7fc4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%BACKP%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:12 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #70: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc38 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C24
0x
C68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x04b2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ce1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04e10000 | 0x04ecdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0504ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05050000 | 0x05386fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f4bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4c0000 | 0x7f4c0000 | 0x7f4e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4e5000 | 0x7f4e5000 | 0x7f4e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4e8000 | 0x7f4e8000 | 0x7f4eafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4eb000 | 0x7f4eb000 | 0x7f4ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ed000 | 0x7f4ed000 | 0x7f4edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 126, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xc64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = tomcat |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #72: wmic.exe
15
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0xc38 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C4C
0x
C60
0x
C5C
0x
C40
0x
C30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00893fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00923fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00941fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00950000 | 0x00a0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00ab0000 | 0x00ab0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | - |
|
|
|
- |
| wmic.exe.mui | 0x00af0000 | 0x00afffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x00b20000 | 0x00c08fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00b20000 | 0x00b49fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00cb4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00cc8fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00e10000 | 0x01146fff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x01150000 | 0x0122efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x012e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0554ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005500000 | 0x05500000 | 0x0553ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005540000 | 0x05540000 | 0x0554ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x0594ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005950000 | 0x05950000 | 0x05ad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005ae0000 | 0x05ae0000 | 0x06edffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006ee0000 | 0x06ee0000 | 0x06fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006fe0000 | 0x06fe0000 | 0x0701ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f907000 | 0x7f907000 | 0x7f909fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f90a000 | 0x7f90a000 | 0x7f90cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f90d000 | 0x7f90d000 | 0x7f90ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f910000 | 0x7f910000 | 0x7fa0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fa10000 | 0x7fa10000 | 0x7fa32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fa35000 | 0x7fa35000 | 0x7fa35fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa37000 | 0x7fa37000 | 0x7fa37fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa3a000 | 0x7fa3a000 | 0x7fa3cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa3d000 | 0x7fa3d000 | 0x7fa3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%tomcat%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:13 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #73: cmd.exe
56
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc44 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
554
0x
518
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x04d6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04db3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04efffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f30000 | 0x04fedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005460000 | 0x05460000 | 0x0546ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05470000 | 0x057a6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7f0000 | 0x7f7f0000 | 0x7f812fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f818000 | 0x7f818000 | 0x7f81afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f81b000 | 0x7f81b000 | 0x7f81dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f81e000 | 0x7f81e000 | 0x7f81efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f81f000 | 0x7f81f000 | 0x7f81ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xca4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SharePoint |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 80041017 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #75: wmic.exe
39
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca4 |
| Parent PID | 0xc44 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA0
0x
C90
0x
C9C
0x
C98
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007c0000 | 0x007c0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00803fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00893fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a30000 | 0x00aedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00b30000 | 0x00b30fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00b50000 | 0x00e86fff | Memory Mapped File | Readable |
|
|
|
- |
| ole32.dll | 0x00e90000 | 0x00f78fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00eaffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00eb0000 | 0x00ed9fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00eb0000 | 0x00ebffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f54fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll.mui | 0x00f40000 | 0x00f44fff | Memory Mapped File | Readable |
|
|
|
- |
| stdole2.tlb | 0x00f50000 | 0x00f54fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x01030000 | 0x0110efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x011c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005370000 | 0x05370000 | 0x0576ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005770000 | 0x05770000 | 0x058f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005900000 | 0x05900000 | 0x05a80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005a90000 | 0x05a90000 | 0x06e8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006e90000 | 0x06e90000 | 0x06faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006e90000 | 0x06e90000 | 0x06ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006ed0000 | 0x06ed0000 | 0x06f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f10000 | 0x06f10000 | 0x06f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3.dll | 0x06f50000 | 0x06f75fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000006fa0000 | 0x06fa0000 | 0x06faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006fb0000 | 0x06fb0000 | 0x070affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000070b0000 | 0x070b0000 | 0x074befff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sxs.dll | 0x73f80000 | 0x73ffffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74000000 | 0x74007fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpoav.dll | 0x74010000 | 0x74025fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| amsi.dll | 0x74030000 | 0x7403cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vbscript.dll | 0x74040000 | 0x740befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wmiutils.dll | 0x740c0000 | 0x740ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| coml2.dll | 0x77840000 | 0x77897fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007eaea000 | 0x7eaea000 | 0x7eaecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaed000 | 0x7eaed000 | 0x7eaeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec15000 | 0x7ec15000 | 0x7ec15fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec16000 | 0x7ec16000 | 0x7ec18fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec19000 | 0x7ec19000 | 0x7ec19fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec1a000 | 0x7ec1a000 | 0x7ec1cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec1d000 | 0x7ec1d000 | 0x7ec1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (15)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | 8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6 | BFBF883A-CAD7-11D3-A11B-00105A1F515A | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | EAC8A024-21E2-4523-AD73-A71A0AA2F56A | 81166F58-DD98-11D3-A120-00105A1F515A | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | EB87E1BD-3233-11D2-AEC9-00C04FB68820 | EB87E1BC-3233-11D2-AEC9-00C04FB68820 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | 2933BF94-7B36-11D2-B20E-00C04F983E60 | 2933BF93-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\wbem\\texttable.xsl | share_mode = FILE_SHARE_READ |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (10)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x74030000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x76970000 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x76a39ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x74033d40 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x740340e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadedAPI, address_out = 0x76a24e60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = ResolveDelayLoadsFromDll, address_out = 0x76aa0770 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiUninitialize, address_out = 0x74033f20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:14 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 152328 |
|
1 | |
| Get Time | type = Ticks, time = 152375 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Process #76: cmd.exe
55
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc6c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C7C
0x
C2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0451ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04550000 | 0x0460dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0470ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04710000 | 0x04a46fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e280000 | 0x7e280000 | 0x7e37ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e380000 | 0x7e380000 | 0x7e3a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e3a5000 | 0x7e3a5000 | 0x7e3a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3a8000 | 0x7e3a8000 | 0x7e3aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3ab000 | 0x7e3ab000 | 0x7e3abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3ad000 | 0x7e3ad000 | 0x7e3adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 152, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\Wbem\WMIC.exe | os_pid = 0xbc0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = SBS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #78: wmic.exe
14
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\syswow64\wbem\wmic.exe |
| Command Line | WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled' |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0xc6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C34
0x
C50
0x
C48
0x
CD8
0x
CD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002e0000 | 0x002e0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00323fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x003e0000 | 0x0049dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| msxml3r.dll | 0x00560000 | 0x00560fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0058ffff | Private Memory | - |
|
|
|
- |
| imm32.dll | 0x00590000 | 0x005b9fff | Memory Mapped File | Readable |
|
|
|
- |
| wmic.exe.mui | 0x00590000 | 0x0059ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| ole32.dll | 0x006f0000 | 0x007d8fff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x006f0000 | 0x007cefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00820000 | 0x00b56fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00bf4fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00c08fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00d77fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmic.exe | 0x01300000 | 0x01363fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x0536ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000005370000 | 0x05370000 | 0x054f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005500000 | 0x05500000 | 0x05680fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005690000 | 0x05690000 | 0x06a8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000006a90000 | 0x06a90000 | 0x06b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x740e0000 | 0x7419bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x741a0000 | 0x741b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x741c0000 | 0x743e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x743f0000 | 0x746b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x746c0000 | 0x7481ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msxml3.dll | 0x74820000 | 0x749affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x749b0000 | 0x74a15fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x74a20000 | 0x74a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a30000 | 0x74a6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74a70000 | 0x74a9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74aa0000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74ba0000 | 0x74bbcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74bc0000 | 0x74c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77430000 | 0x77519fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x778a0000 | 0x7792cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f4fa000 | 0x7f4fa000 | 0x7f4fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4fd000 | 0x7f4fd000 | 0x7f4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f5fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f600000 | 0x7f600000 | 0x7f622fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f623000 | 0x7f623000 | 0x7f625fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f626000 | 0x7f626000 | 0x7f628fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f629000 | 0x7f629000 | 0x7f629fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f62a000 | 0x7f62a000 | 0x7f62cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f62d000 | 0x7f62d000 | 0x7f62dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
COM (6)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | F6D90F12-9C73-11D3-B32E-00C04F990BB4 | 2933BF95-7B36-11D2-B20E-00C04F983E60 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = root\cli\ms_409 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\LHNIWSJ\ROOT\CIMV2 |
|
1 | |
| Execute | WBEMLocator | IWbemServices | method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_Service WHERE caption LIKE '%SBS%' |
|
1 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Logging Directory, data = 37 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM | value_name = Log File Max Size, data = 54 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\wbem\wmic.exe | base_address = 0x1300000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-15 10:09:16 (Local Time) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Process #79: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config FirebirdServerDefaultInstance start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc8 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CD0
0x
CB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0450ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0452ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004510000 | 0x04510000 | 0x0451ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04523fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04531fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04533fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004540000 | 0x04540000 | 0x04553fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x0469ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000046b0000 | 0x046b0000 | 0x046b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x046d0000 | 0x0478dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x047cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x0482ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004830000 | 0x04830000 | 0x0492ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04c30000 | 0x04f66fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ef6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef97000 | 0x7ef97000 | 0x7ef99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9a000 | 0x7ef9a000 | 0x7ef9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9b000 | 0x7ef9b000 | 0x7ef9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7ef9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xd1c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #81: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config FirebirdServerDefaultInstance start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd1c |
| Parent PID | 0xcc8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
714
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x0071ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00723fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00753fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00810000 | 0x008cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00960000 | 0x00971fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00b80000 | 0x00c5efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f33ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f368000 | 0x7f368000 | 0x7f36afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f36b000 | 0x7f36b000 | 0x7f36bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #82: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c taskkill \/IM fb_inet_server.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D44
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000360000 | 0x00360000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x0036ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00380fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x003a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004550000 | 0x04550000 | 0x04550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x04561fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x045affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x046dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x046e0000 | 0x0479dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04910000 | 0x04c46fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eff0000 | 0x7eff0000 | 0x7f0effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f112fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f118000 | 0x7f118000 | 0x7f11afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f11b000 | 0x7f11b000 | 0x7f11dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f11e000 | 0x7f11e000 | 0x7f11efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f11f000 | 0x7f11f000 | 0x7f11ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xd30, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #84: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill \/IM fb_inet_server.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd30 |
| Parent PID | 0xd48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
D5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| taskkill.exe | 0x00130000 | 0x00145fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0451ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0453ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x0452ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04533fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x04541fff | Private Memory | Readable, Writable |
|
|
|
- |
| taskkill.exe.mui | 0x04540000 | 0x04544fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000004550000 | 0x04550000 | 0x04563fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x045affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045f0000 | 0x045f0000 | 0x045f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004600000 | 0x04600000 | 0x04600fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04611fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04620000 | 0x046ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000046e0000 | 0x046e0000 | 0x0471ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0475ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x04760fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x04770fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04783fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004790000 | 0x04790000 | 0x04790fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047dffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x047e0000 | 0x048befff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x049dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04cc7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04e50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x0625ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x06260000 | 0x06596fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x74810000 | 0x74853fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x74860000 | 0x748c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x748d0000 | 0x748dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x748e0000 | 0x74a1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a20000 | 0x74a5efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74a60000 | 0x74a67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x74b20000 | 0x74b36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x76f60000 | 0x76f6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77760000 | 0x777e1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f26ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f292fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f295000 | 0x7f295000 | 0x7f295fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f297000 | 0x7f297000 | 0x7f299fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f29a000 | 0x7f29a000 | 0x7f29cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f29d000 | 0x7f29d000 | 0x7f29dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #85: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop FirebirdServerDefaultInstance |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x300 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
0x
5C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04feffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05003fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005170000 | 0x05170000 | 0x05173fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005180000 | 0x05180000 | 0x05180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x05191fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x052d0000 | 0x0538dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005390000 | 0x05390000 | 0x0539ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x053dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x054dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0562ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05630000 | 0x05966fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e300000 | 0x7e300000 | 0x7e3fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e400000 | 0x7e400000 | 0x7e422fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e428000 | 0x7e428000 | 0x7e42afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e42b000 | 0x7e42b000 | 0x7e42dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e42e000 | 0x7e42e000 | 0x7e42efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e42f000 | 0x7e42f000 | 0x7e42ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 204, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x764, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #87: net.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop FirebirdServerDefaultInstance |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x764 |
| Parent PID | 0x300 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
454
0x
8F8
0x
D84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x04b2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b51fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04c70000 | 0x04d2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x0500ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x74b20000 | 0x74b36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74b60000 | 0x74b67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74b70000 | 0x74b9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f41d000 | 0x7f41d000 | 0x7f41ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f420000 | 0x7f420000 | 0x7f51ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f520000 | 0x7f520000 | 0x7f542fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f544000 | 0x7f544000 | 0x7f544fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f547000 | 0x7f547000 | 0x7f549fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f54a000 | 0x7f54a000 | 0x7f54afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f54d000 | 0x7f54d000 | 0x7f54ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #88: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop FirebirdServerDefaultInstance |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D80
0x
D70
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00763fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00840fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00860000 | 0x00862fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008a0000 | 0x0095dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00be0000 | 0x00c11fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a00000 | 0x74a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a10000 | 0x74a3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f540000 | 0x7f540000 | 0x7f63ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f640000 | 0x7f640000 | 0x7f662fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f664000 | 0x7f664000 | 0x7f664fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f666000 | 0x7f666000 | 0x7f668fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f669000 | 0x7f669000 | 0x7f66bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f66c000 | 0x7f66c000 | 0x7f66efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f66f000 | 0x7f66f000 | 0x7f66ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x860000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #89: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c taskkill \/IM sqlservr.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd7c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D74
0x
D60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b70000 | 0x04b70000 | 0x04b7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04daffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04db0000 | 0x04e6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05150000 | 0x05486fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb86000 | 0x7eb86000 | 0x7eb86fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb89000 | 0x7eb89000 | 0x7eb8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8f000 | 0x7eb8f000 | 0x7eb8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xd58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #91: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill \/IM sqlservr.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd58 |
| Parent PID | 0xd7c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DAC
0x
D88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| taskkill.exe | 0x00130000 | 0x00145fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x0460ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x0462ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004610000 | 0x04610000 | 0x0461ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004620000 | 0x04620000 | 0x04623fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x04631fff | Private Memory | Readable, Writable |
|
|
|
- |
| taskkill.exe.mui | 0x04630000 | 0x04634fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000004640000 | 0x04640000 | 0x04653fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004660000 | 0x04660000 | 0x0469ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x046dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046e0000 | 0x046e0000 | 0x046e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000046f0000 | 0x046f0000 | 0x046f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x04701fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0474ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0478ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0479ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x048cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x048d0000 | 0x0498dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04bb7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004bc0000 | 0x04bc0000 | 0x04d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d50000 | 0x04d50000 | 0x0614ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x06150000 | 0x06486fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x748e0000 | 0x74a1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x74a20000 | 0x74a5efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74a60000 | 0x74a67fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x74b20000 | 0x74b36fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x74d70000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75080000 | 0x750c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ca0000 | 0x76decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x76f70000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x77090000 | 0x77249fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x775e0000 | 0x7760afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77930000 | 0x7798bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x77990000 | 0x77a0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x77ad0000 | 0x77ad6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77ba0000 | 0x77c31fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee45000 | 0x7ee45000 | 0x7ee45fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee49000 | 0x7ee49000 | 0x7ee4bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee4c000 | 0x7ee4c000 | 0x7ee4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee4f000 | 0x7ee4f000 | 0x7ee4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #92: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSSQLSERVER start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD0
0x
DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x04bfffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x04d93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04da0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04db1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04feffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04ff0000 | 0x050adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0526ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05270000 | 0x055a6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecd0000 | 0x7ecd0000 | 0x7edcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edd0000 | 0x7edd0000 | 0x7edf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edf3000 | 0x7edf3000 | 0x7edf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edf9000 | 0x7edf9000 | 0x7edfbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edfc000 | 0x7edfc000 | 0x7edfefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edff000 | 0x7edff000 | 0x7edfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #94: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSSQLSERVER start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda4 |
| Parent PID | 0xdd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DBC
0x
DA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000970000 | 0x00970000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00a70000 | 0x00a81fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00d10000 | 0x00deefff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f4c0000 | 0x7f4c0000 | 0x7f5bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f5c0000 | 0x7f5c0000 | 0x7f5e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f5e8000 | 0x7f5e8000 | 0x7f5e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5e9000 | 0x7f5e9000 | 0x7f5ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5ec000 | 0x7f5ec000 | 0x7f5ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5ed000 | 0x7f5ed000 | 0x7f5effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #95: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSSQL$SQLEXPRESS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA8
0x
CC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x04c2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f40000 | 0x04ffdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0503ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0528ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05290000 | 0x055c6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed00000 | 0x7ed00000 | 0x7edfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee00000 | 0x7ee00000 | 0x7ee22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee25000 | 0x7ee25000 | 0x7ee27fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee28000 | 0x7ee28000 | 0x7ee28fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee2b000 | 0x7ee2b000 | 0x7ee2bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee2d000 | 0x7ee2d000 | 0x7ee2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xca8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #97: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSSQL$SQLEXPRESS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca8 |
| Parent PID | 0xdb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D10
0x
CB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000360000 | 0x00360000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x0036ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x003a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00433fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00460000 | 0x0051dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x005a0000 | 0x005b1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00610000 | 0x006eefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6a6000 | 0x7f6a6000 | 0x7f6a8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6a9000 | 0x7f6a9000 | 0x7f6a9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ac000 | 0x7f6ac000 | 0x7f6aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6af000 | 0x7f6af000 | 0x7f6affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #98: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSSQLSERVER |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D34
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00283fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00303fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04510000 | 0x045cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0470ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004830000 | 0x04830000 | 0x0492ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04aa0000 | 0x04dd6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f2affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2b0000 | 0x7f2b0000 | 0x7f2d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f2d6000 | 0x7f2d6000 | 0x7f2d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2d9000 | 0x7f2d9000 | 0x7f2d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2dc000 | 0x7f2dc000 | 0x7f2defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2df000 | 0x7f2df000 | 0x7f2dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xe0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #100: net.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSSQLSERVER |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe0c |
| Parent PID | 0xd18 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E08
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | Readable, Writable |
|
|
|
- |
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0423ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7eea2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eeab000 | 0x7eeab000 | 0x7eeadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eeae000 | 0x7eeae000 | 0x7eeaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eeaf000 | 0x7eeaf000 | 0x7eeaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #101: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSSQLSERVER |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0xe0c (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
DEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b41fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b60000 | 0x00c1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00c60000 | 0x00c62fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00e10000 | 0x00e41fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7f0bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0c0000 | 0x7f0c0000 | 0x7f0e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e3000 | 0x7f0e3000 | 0x7f0e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0e6000 | 0x7f0e6000 | 0x7f0e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ea000 | 0x7f0ea000 | 0x7f0ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ed000 | 0x7f0ed000 | 0x7f0effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xc60000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #102: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSSQL$SQLEXPRESS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe24 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
27C
0x
2EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x046affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046b0000 | 0x046b0000 | 0x046bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x046d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046d0000 | 0x046d0000 | 0x046d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046e0000 | 0x046e0000 | 0x046f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004740000 | 0x04740000 | 0x0483ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004840000 | 0x04840000 | 0x04843fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004850000 | 0x04850000 | 0x04850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x04861fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04870000 | 0x0492dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x0496ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04ed0000 | 0x05206fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f11ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f148000 | 0x7f148000 | 0x7f14afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14b000 | 0x7f14b000 | 0x7f14dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14e000 | 0x7f14e000 | 0x7f14efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14f000 | 0x7f14f000 | 0x7f14ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xd0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #104: net.exe
0
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSSQL$SQLEXPRESS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0xe24 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E4C
0x
E48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x04b6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04b91fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04bb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c80000 | 0x04c80000 | 0x04c83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04c90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04ca1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee88000 | 0x7ee88000 | 0x7ee88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8b000 | 0x7ee8b000 | 0x7ee8dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8e000 | 0x7ee8e000 | 0x7ee8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #105: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe38 |
| Parent PID | 0xd0c (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E44
0x
E3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000700000 | 0x00700000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x0070ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00713fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00723fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00743fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00940000 | 0x009fdfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll | 0x00a00000 | 0x00a02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00af0000 | 0x00b21fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e770000 | 0x7e770000 | 0x7e86ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e870000 | 0x7e870000 | 0x7e892fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e895000 | 0x7e895000 | 0x7e895fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e897000 | 0x7e897000 | 0x7e899fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e89a000 | 0x7e89a000 | 0x7e89cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e89d000 | 0x7e89d000 | 0x7e89dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xa00000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #106: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c taskkill \/IM pg_ctl.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe2c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E1C
0x
74C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x04ddffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04deffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04df3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e03fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f70000 | 0x04f70000 | 0x04f73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f80000 | 0x04f80000 | 0x04f80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04fa0000 | 0x0505dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0509ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0517ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0545ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005550000 | 0x05550000 | 0x0555ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05560000 | 0x05896fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f29ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2a0000 | 0x7f2a0000 | 0x7f2c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f2c6000 | 0x7f2c6000 | 0x7f2c8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2c9000 | 0x7f2c9000 | 0x7f2c9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2ca000 | 0x7f2ca000 | 0x7f2ccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2cd000 | 0x7f2cd000 | 0x7f2cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x310, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #108: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill \/IM pg_ctl.exe \/F |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x310 |
| Parent PID | 0xe2c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
E9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| taskkill.exe | 0x00130000 | 0x00145fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x04abffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04ae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004af0000 | 0x04af0000 | 0x04b03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e880000 | 0x7e880000 | 0x7e8a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e8ab000 | 0x7e8ab000 | 0x7e8abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8ac000 | 0x7e8ac000 | 0x7e8aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8af000 | 0x7e8af000 | 0x7e8affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #109: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config postgresql-9.0 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E8C
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x0449ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044a0000 | 0x044a0000 | 0x044affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x044b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x044c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x044c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044d0000 | 0x044d0000 | 0x044e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x0452ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x0462ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x04633fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004640000 | 0x04640000 | 0x04640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04651fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04660000 | 0x0471dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x0475ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a60000 | 0x04d96fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eda7000 | 0x7eda7000 | 0x7eda7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eda9000 | 0x7eda9000 | 0x7edabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edac000 | 0x7edac000 | 0x7edaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edaf000 | 0x7edaf000 | 0x7edaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 136, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xe84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #111: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config postgresql-9.0 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:17, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe84 |
| Parent PID | 0xe98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
E7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00cf0000 | 0x00d01fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00d20000 | 0x00dddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| kernelbase.dll.mui | 0x04ea0000 | 0x04f7efff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e7cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e7f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7f7000 | 0x7e7f7000 | 0x7e7f7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7f8000 | 0x7e7f8000 | 0x7e7fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7fb000 | 0x7e7fb000 | 0x7e7fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7fe000 | 0x7e7fe000 | 0x7e7fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #112: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop postgresql-9.0 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe74 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EBC
0x
EE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x04e3ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e63fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fd0000 | 0x04fd0000 | 0x04fd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004fe0000 | 0x04fe0000 | 0x04fe0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ff1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05000000 | 0x050bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x051cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x0539ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0549ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x0569ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x056a0000 | 0x059d6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e860000 | 0x7e860000 | 0x7e95ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7e982fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e984000 | 0x7e984000 | 0x7e984fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e985000 | 0x7e985000 | 0x7e985fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e98a000 | 0x7e98a000 | 0x7e98cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e98d000 | 0x7e98d000 | 0x7e98ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xedc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #114: net.exe
0
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop postgresql-9.0 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0xe74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED4
0x
EC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x05051fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fb40000 | 0x7fb40000 | 0x7fb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fb64000 | 0x7fb64000 | 0x7fb64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fb6c000 | 0x7fb6c000 | 0x7fb6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fb6f000 | 0x7fb6f000 | 0x7fb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #115: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop postgresql-9.0 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb4 |
| Parent PID | 0xedc (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED0
0x
EB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x004c0000 | 0x004c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00510000 | 0x00541fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef76000 | 0x7ef76000 | 0x7ef78fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef79000 | 0x7ef79000 | 0x7ef79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef7a000 | 0x7ef7a000 | 0x7ef7afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef7d000 | 0x7ef7d000 | 0x7ef7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x4c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #116: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #116 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeAB start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB8
0x
F14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x0486ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004870000 | 0x04870000 | 0x0487ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x04883fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x04890fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048a0000 | 0x048a0000 | 0x048b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x049fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004a10000 | 0x04a10000 | 0x04a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04a30000 | 0x04aedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04e50000 | 0x05186fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f52ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f530000 | 0x7f530000 | 0x7f552fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f556000 | 0x7f556000 | 0x7f556fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f558000 | 0x7f558000 | 0x7f558fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f55a000 | 0x7f55a000 | 0x7f55cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f55d000 | 0x7f55d000 | 0x7f55ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xf10, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #118: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeAB start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf10 |
| Parent PID | 0xec0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
F00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0056dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x005c0000 | 0x005d1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00730000 | 0x0080efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e160000 | 0x7e160000 | 0x7e25ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e260000 | 0x7e260000 | 0x7e282fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e288000 | 0x7e288000 | 0x7e28afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e28b000 | 0x7e28b000 | 0x7e28dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e28e000 | 0x7e28e000 | 0x7e28efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e28f000 | 0x7e28f000 | 0x7e28ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #119: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeAntispamUpdate start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F04
0x
F50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0487ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004880000 | 0x04880000 | 0x0488ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x04893fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048b0000 | 0x048b0000 | 0x048c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04c00000 | 0x04cbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04dc0000 | 0x050f6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e620000 | 0x7e620000 | 0x7e71ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e742fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e746000 | 0x7e746000 | 0x7e748fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e749000 | 0x7e749000 | 0x7e74bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e74c000 | 0x7e74c000 | 0x7e74cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e74f000 | 0x7e74f000 | 0x7e74ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xf4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #121: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeAntispamUpdate start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0xef0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F44
0x
F40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000990000 | 0x00990000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x0099ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a90000 | 0x00b4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00bd0000 | 0x00be1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00c20000 | 0x00cfefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e5c0000 | 0x7e5c0000 | 0x7e6bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e6c0000 | 0x7e6c0000 | 0x7e6e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e6e6000 | 0x7e6e6000 | 0x7e6e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6e9000 | 0x7e6e9000 | 0x7e6ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6ec000 | 0x7e6ec000 | 0x7e6ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6ef000 | 0x7e6ef000 | 0x7e6effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #122: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #122 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeEdgeSync start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf48 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F3C
0x
E34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x0491ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x0493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004920000 | 0x04920000 | 0x0492ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x04933fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x04941fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x04943fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004950000 | 0x04950000 | 0x04963fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004970000 | 0x04970000 | 0x049affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ac0000 | 0x04ac0000 | 0x04ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04ad1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04ae0000 | 0x04b9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x050d0000 | 0x05406fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f77ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f780000 | 0x7f780000 | 0x7f7a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7a7000 | 0x7f7a7000 | 0x7f7a9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7aa000 | 0x7f7aa000 | 0x7f7aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ac000 | 0x7f7ac000 | 0x7f7aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7af000 | 0x7f7af000 | 0x7f7affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xe18, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #124: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeEdgeSync start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe18 |
| Parent PID | 0xf48 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F34
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a90000 | 0x00a90000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ad3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00b90000 | 0x00ba1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bc0000 | 0x00c7dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| kernelbase.dll.mui | 0x04ea0000 | 0x04f7efff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f2cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2d0000 | 0x7f2d0000 | 0x7f2f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f2f5000 | 0x7f2f5000 | 0x7f2f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2f9000 | 0x7f2f9000 | 0x7f2fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2fc000 | 0x7f2fc000 | 0x7f2fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2ff000 | 0x7f2ff000 | 0x7f2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #125: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeFDS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:09, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf38 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F20
0x
A5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00353fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004510000 | 0x04510000 | 0x04513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004520000 | 0x04520000 | 0x04520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004530000 | 0x04530000 | 0x04531fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x0457ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x046effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04740000 | 0x047fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a70000 | 0x04da6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3b0000 | 0x7f3b0000 | 0x7f4affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f4d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4d6000 | 0x7f4d6000 | 0x7f4d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4d9000 | 0x7f4d9000 | 0x7f4d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4dc000 | 0x7f4dc000 | 0x7f4defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4df000 | 0x7f4df000 | 0x7f4dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 232, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xa60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #127: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeFDS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa60 |
| Parent PID | 0xf38 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A7C
0x
524
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000df0000 | 0x00df0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04ee3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ef0000 | 0x04ef0000 | 0x04ef0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f01fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x04f10000 | 0x04f21fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f50000 | 0x0500dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0504ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x051effff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x051f0000 | 0x052cefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0538ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6b0000 | 0x7e6b0000 | 0x7e7affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e7d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7d6000 | 0x7e7d6000 | 0x7e7d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7d9000 | 0x7e7d9000 | 0x7e7d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7db000 | 0x7e7db000 | 0x7e7dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7dd000 | 0x7e7dd000 | 0x7e7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #128: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeFBA start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x560 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A0
0x
948
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x04e0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e10000 | 0x04e10000 | 0x04e1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04e33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fa0000 | 0x04fa0000 | 0x04fa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004fb0000 | 0x04fb0000 | 0x04fb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04feffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04ff0000 | 0x050adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x053cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000055b0000 | 0x055b0000 | 0x055bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x055c0000 | 0x058f6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9b0000 | 0x7e9b0000 | 0x7eaaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eab0000 | 0x7eab0000 | 0x7ead2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ead4000 | 0x7ead4000 | 0x7ead4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ead5000 | 0x7ead5000 | 0x7ead5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eada000 | 0x7eada000 | 0x7eadcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eadd000 | 0x7eadd000 | 0x7eadffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 85, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x930, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #130: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeFBA start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x560 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
954
0x
8C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000330000 | 0x00330000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00351fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00373fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00430000 | 0x004edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00590000 | 0x005a1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00760000 | 0x0083efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4a5000 | 0x7f4a5000 | 0x7f4a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4a9000 | 0x7f4a9000 | 0x7f4abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ac000 | 0x7f4ac000 | 0x7f4aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4af000 | 0x7f4af000 | 0x7f4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #131: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeImap4 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa58 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A54
0x
A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x04cdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d10000 | 0x04d10000 | 0x04d23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04e91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f10000 | 0x04fcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x052affff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x052b0000 | 0x055e6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7ee7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7eea2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eea8000 | 0x7eea8000 | 0x7eeaafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eeab000 | 0x7eeab000 | 0x7eeadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eeae000 | 0x7eeae000 | 0x7eeaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eeaf000 | 0x7eeaf000 | 0x7eeaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xa84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #133: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeImap4 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa84 |
| Parent PID | 0xa58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
824
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d20000 | 0x00d20000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00d2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00df3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e11fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00e60000 | 0x00e71fff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x04ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05000000 | 0x050bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x05100000 | 0x051defff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f580000 | 0x7f580000 | 0x7f67ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f680000 | 0x7f680000 | 0x7f6a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6a5000 | 0x7f6a5000 | 0x7f6a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6a9000 | 0x7f6a9000 | 0x7f6abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ac000 | 0x7f6ac000 | 0x7f6aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6af000 | 0x7f6af000 | 0x7f6affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #134: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeIS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
674
0x
F78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x04b0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b40000 | 0x04b40000 | 0x04b53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ca0000 | 0x04ca0000 | 0x04ca3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004cb0000 | 0x04cb0000 | 0x04cb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04cc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04cf0000 | 0x04dadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x0506ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0526ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05270000 | 0x055a6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee80000 | 0x7ee80000 | 0x7ef7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7efa2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efa6000 | 0x7efa6000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa9000 | 0x7efa9000 | 0x7efabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efac000 | 0x7efac000 | 0x7efaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaf000 | 0x7efaf000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xf68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #136: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeIS start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf68 |
| Parent PID | 0x960 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F70
0x
F58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000190000 | 0x00190000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x0019ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe.mui | 0x00350000 | 0x00361fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00590000 | 0x0066efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee18000 | 0x7ee18000 | 0x7ee1afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1b000 | 0x7ee1b000 | 0x7ee1dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1e000 | 0x7ee1e000 | 0x7ee1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1f000 | 0x7ee1f000 | 0x7ee1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #137: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #137 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeMailSubmission start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf6c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F54
0x
FB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0462ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004630000 | 0x04630000 | 0x0463ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x04643fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04651fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04653fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004660000 | 0x04660000 | 0x04673fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x047bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047c0000 | 0x047c0000 | 0x047c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x047d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x047e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x047f0000 | 0x048adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x0491ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04bb0000 | 0x04ee6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f560000 | 0x7f560000 | 0x7f65ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f660000 | 0x7f660000 | 0x7f682fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f683000 | 0x7f683000 | 0x7f683fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f689000 | 0x7f689000 | 0x7f68bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f68c000 | 0x7f68c000 | 0x7f68efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f68f000 | 0x7f68f000 | 0x7f68ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xfa8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #139: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #139 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeMailSubmission start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa8 |
| Parent PID | 0xf6c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FB0
0x
FAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000300000 | 0x00300000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x0030ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00313fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00343fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00550000 | 0x00561fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x006f0000 | 0x007cefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e5d0000 | 0x7e5d0000 | 0x7e6cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e6f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e6f6000 | 0x7e6f6000 | 0x7e6f8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6f9000 | 0x7e6f9000 | 0x7e6fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6fc000 | 0x7e6fc000 | 0x7e6fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6ff000 | 0x7e6ff000 | 0x7e6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #140: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #140 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeMailboxAssistants start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA4
0x
F98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0493ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0495ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004940000 | 0x04940000 | 0x0494ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004950000 | 0x04950000 | 0x04953fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04961fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04963fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004970000 | 0x04970000 | 0x04983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x049cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ad0000 | 0x04ad0000 | 0x04ad3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ae0000 | 0x04ae0000 | 0x04ae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04af1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04b00000 | 0x04bbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e90000 | 0x04e90000 | 0x04f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05170000 | 0x054a6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e310000 | 0x7e310000 | 0x7e40ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e410000 | 0x7e410000 | 0x7e432fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e433000 | 0x7e433000 | 0x7e433fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e439000 | 0x7e439000 | 0x7e43bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e43c000 | 0x7e43c000 | 0x7e43efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e43f000 | 0x7e43f000 | 0x7e43ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xf90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #142: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeMailboxAssistants start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf90 |
| Parent PID | 0xf9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FEC
0x
FE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001e0000 | 0x001e0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00223fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00470000 | 0x00481fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0056dfff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x00570000 | 0x0064efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eae6000 | 0x7eae6000 | 0x7eae8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eae9000 | 0x7eae9000 | 0x7eae9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaec000 | 0x7eaec000 | 0x7eaeefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaef000 | 0x7eaef000 | 0x7eaeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #143: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #143 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeMailboxReplication start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE4
0x
FD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0006ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00083fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x000a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00220000 | 0x002ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x045dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004600000 | 0x04600000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x0487ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04880000 | 0x04bb6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f8fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f900000 | 0x7f900000 | 0x7f922fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f924000 | 0x7f924000 | 0x7f926fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f927000 | 0x7f927000 | 0x7f927fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f92a000 | 0x7f92a000 | 0x7f92cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f92d000 | 0x7f92d000 | 0x7f92dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xfbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #145: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeMailboxReplication start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfbc |
| Parent PID | 0xfdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
FFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00d70000 | 0x00e2dfff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe.mui | 0x00e30000 | 0x00e41fff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| kernelbase.dll.mui | 0x04ea0000 | 0x04f7efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f740000 | 0x7f740000 | 0x7f83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f840000 | 0x7f840000 | 0x7f862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f866000 | 0x7f866000 | 0x7f868fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f869000 | 0x7f869000 | 0x7f869fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f86c000 | 0x7f86c000 | 0x7f86efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f86f000 | 0x7f86f000 | 0x7f86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #146: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeMonitoring start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc4 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
168
0x
C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0476ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x0478ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004770000 | 0x04770000 | 0x0477ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04783fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04791fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x04793fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x047b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04903fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004910000 | 0x04910000 | 0x04910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04921fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x0493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04a80000 | 0x04b3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04cb0000 | 0x04fe6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee15000 | 0x7ee15000 | 0x7ee15fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee19000 | 0x7ee19000 | 0x7ee1bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1c000 | 0x7ee1c000 | 0x7ee1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1f000 | 0x7ee1f000 | 0x7ee1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x9ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #148: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeMonitoring start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0xfc4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF4
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c10000 | 0x00c10000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c31fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00d10000 | 0x00dcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00e50000 | 0x00e61fff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005010000 | 0x05010000 | 0x0501ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x05020000 | 0x050fefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f150000 | 0x7f150000 | 0x7f24ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f250000 | 0x7f250000 | 0x7f272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f275000 | 0x7f275000 | 0x7f275fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f279000 | 0x7f279000 | 0x7f27bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f27c000 | 0x7f27c000 | 0x7f27efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f27f000 | 0x7f27f000 | 0x7f27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #149: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #149 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangePop3 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xff0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C54
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0484ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0486ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004850000 | 0x04850000 | 0x0485ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x04863fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x04870fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x0487ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004880000 | 0x04880000 | 0x04893fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x049dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049e0000 | 0x049e0000 | 0x049e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x049f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a01fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04a10000 | 0x04acdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ad0000 | 0x04ad0000 | 0x04ad3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04e20000 | 0x05156fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef63000 | 0x7ef63000 | 0x7ef63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef6bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xc5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #151: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangePop3 start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc5c |
| Parent PID | 0xff0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C60
0x
C64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000560000 | 0x00560000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0056ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00573fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x005a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00633fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00660000 | 0x00671fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006a0000 | 0x0075dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x008e0000 | 0x009befff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e9fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7ea22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea28000 | 0x7ea28000 | 0x7ea2afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea2b000 | 0x7ea2b000 | 0x7ea2dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea2e000 | 0x7ea2e000 | 0x7ea2efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea2f000 | 0x7ea2f000 | 0x7ea2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #152: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeProtectedServiceHost start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f4 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C24
0x
C20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x047effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047f0000 | 0x047f0000 | 0x047fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x04803fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x04811fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x0481ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004820000 | 0x04820000 | 0x04833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0487ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004990000 | 0x04990000 | 0x04990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x049b0000 | 0x04a6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04ab3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04e20000 | 0x05156fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f7b0000 | 0x7f7b0000 | 0x7f8affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f8d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f8d6000 | 0x7f8d6000 | 0x7f8d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f8d9000 | 0x7f8d9000 | 0x7f8dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f8dc000 | 0x7f8dc000 | 0x7f8defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f8df000 | 0x7f8df000 | 0x7f8dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xd8c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #154: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeProtectedServiceHost start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd8c |
| Parent PID | 0x1f4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E58
0x
D04
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002e0000 | 0x002e0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00323fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00400000 | 0x004bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00640000 | 0x00651fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00700000 | 0x007defff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e520000 | 0x7e520000 | 0x7e61ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e620000 | 0x7e620000 | 0x7e642fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e645000 | 0x7e645000 | 0x7e645fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e649000 | 0x7e649000 | 0x7e64bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64c000 | 0x7e64c000 | 0x7e64efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e64f000 | 0x7e64f000 | 0x7e64ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #155: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #155 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeRepl start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe54 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E50
0x
C8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0445ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004460000 | 0x04460000 | 0x0446ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x04473fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x04480fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004480000 | 0x04480000 | 0x04483fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x044a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x044effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045f0000 | 0x045f0000 | 0x045f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004600000 | 0x04600000 | 0x04600fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004610000 | 0x04610000 | 0x04611fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04650000 | 0x0470dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0474ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x049affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04b90000 | 0x04ec6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7efdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f008000 | 0x7f008000 | 0x7f00afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00b000 | 0x7f00b000 | 0x7f00bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00c000 | 0x7f00c000 | 0x7f00efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00f000 | 0x7f00f000 | 0x7f00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xc98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #157: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeRepl start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc98 |
| Parent PID | 0xe54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA0
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007f0000 | 0x007f0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00803fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00990000 | 0x009a1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00bbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00ca0000 | 0x00d7efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e866000 | 0x7e866000 | 0x7e868fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e869000 | 0x7e869000 | 0x7e86bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86c000 | 0x7e86c000 | 0x7e86cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86f000 | 0x7e86f000 | 0x7e86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #158: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeRPC start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc90 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
820
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x0460ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0467ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0478ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04790000 | 0x0484dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0494ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04ad0000 | 0x04e06fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ef0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7ef32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef33000 | 0x7ef33000 | 0x7ef33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef37000 | 0x7ef37000 | 0x7ef37fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef3a000 | 0x7ef3a000 | 0x7ef3cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef3d000 | 0x7ef3d000 | 0x7ef3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 163, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x42c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #160: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeRPC start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x42c |
| Parent PID | 0xc90 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C3C
0x
390
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004e0000 | 0x004e0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00501fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00523fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005e0000 | 0x0069dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00720000 | 0x00731fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00a50000 | 0x00b2efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e570000 | 0x7e570000 | 0x7e66ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e670000 | 0x7e670000 | 0x7e692fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e696000 | 0x7e696000 | 0x7e696fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e699000 | 0x7e699000 | 0x7e69bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e69c000 | 0x7e69c000 | 0x7e69cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e69d000 | 0x7e69d000 | 0x7e69ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #161: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeSearch start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
620
0x
C48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0488ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004890000 | 0x04890000 | 0x0489ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048a0000 | 0x048a0000 | 0x048a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048c0000 | 0x048c0000 | 0x048d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x0491ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004920000 | 0x04920000 | 0x04a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a41fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04a50000 | 0x04b0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04e10000 | 0x05146fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3d0000 | 0x7f3d0000 | 0x7f4cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4d0000 | 0x7f4d0000 | 0x7f4f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4f4000 | 0x7f4f4000 | 0x7f4f4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4f9000 | 0x7f4f9000 | 0x7f4fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4fc000 | 0x7f4fc000 | 0x7f4fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ff000 | 0x7f4ff000 | 0x7f4fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 15, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xc50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #163: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #163 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeSearch start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0xb3c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2D0
0x
BC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00613fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006d0000 | 0x0078dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00940000 | 0x00951fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00a20000 | 0x00afefff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e867000 | 0x7e867000 | 0x7e867fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e868000 | 0x7e868000 | 0x7e86afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86b000 | 0x7e86b000 | 0x7e86dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86e000 | 0x7e86e000 | 0x7e86efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #164: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #164 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config wsbexchange start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc7c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C2C
0x
714
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x04afffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b90000 | 0x04b90000 | 0x04c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04c93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ca0000 | 0x04ca0000 | 0x04ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04cb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04cc0000 | 0x04d7dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x0505ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x0518ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05190000 | 0x054c6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ef80000 | 0x7ef80000 | 0x7f07ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0a6000 | 0x7f0a6000 | 0x7f0a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0a8000 | 0x7f0a8000 | 0x7f0aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ab000 | 0x7f0ab000 | 0x7f0abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x114, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #166: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config wsbexchange start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x114 |
| Parent PID | 0xc7c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC0
0x
D1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0006ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x000a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00151fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00200000 | 0x002bdfff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe.mui | 0x002c0000 | 0x002d1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00460000 | 0x0053efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e690000 | 0x7e690000 | 0x7e78ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e790000 | 0x7e790000 | 0x7e7b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7b4000 | 0x7e7b4000 | 0x7e7b4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7b9000 | 0x7e7b9000 | 0x7e7b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7ba000 | 0x7e7ba000 | 0x7e7bcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7bd000 | 0x7e7bd000 | 0x7e7bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #167: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #167 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeServiceHost start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcd0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB8
0x
D5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00203fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00233fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00383fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045c0000 | 0x0467dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x0477ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048e0000 | 0x048e0000 | 0x048effff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x048f0000 | 0x04c26fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fd40000 | 0x7fd40000 | 0x7fe3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fe40000 | 0x7fe40000 | 0x7fe62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fe65000 | 0x7fe65000 | 0x7fe65fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe67000 | 0x7fe67000 | 0x7fe67fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe6a000 | 0x7fe6a000 | 0x7fe6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe6d000 | 0x7fe6d000 | 0x7fe6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xd20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #169: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #169 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeServiceHost start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd20 |
| Parent PID | 0xcd0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D24
0x
D30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00213fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00540000 | 0x00551fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00600000 | 0x006defff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb86000 | 0x7eb86000 | 0x7eb88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb89000 | 0x7eb89000 | 0x7eb89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8c000 | 0x7eb8c000 | 0x7eb8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8f000 | 0x7eb8f000 | 0x7eb8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #170: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #170 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeSA start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd44 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000070000 | 0x00070000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x0007ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00203fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00233fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00270000 | 0x0032dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0461ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04620000 | 0x04956fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eae6000 | 0x7eae6000 | 0x7eae8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eae9000 | 0x7eae9000 | 0x7eae9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaec000 | 0x7eaec000 | 0x7eaeefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaef000 | 0x7eaef000 | 0x7eaeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xd80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #172: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #172 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeSA start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0xd44 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D70
0x
454
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003f0000 | 0x003f0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00403fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00411fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00433fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x004f0000 | 0x005adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x005f0000 | 0x00601fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00660000 | 0x0073efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e5f0000 | 0x7e5f0000 | 0x7e6effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e6f0000 | 0x7e6f0000 | 0x7e712fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e715000 | 0x7e715000 | 0x7e715fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e717000 | 0x7e717000 | 0x7e717fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e71a000 | 0x7e71a000 | 0x7e71cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e71d000 | 0x7e71d000 | 0x7e71ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #173: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #173 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeThrottling start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd84 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D90
0x
5C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x04f2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f30000 | 0x04f30000 | 0x04f3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x050bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050c0000 | 0x050c0000 | 0x050c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000050d0000 | 0x050d0000 | 0x050d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000050e0000 | 0x050e0000 | 0x050e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050f0000 | 0x050f0000 | 0x0512ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0523ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x052e0000 | 0x0539dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0549ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005670000 | 0x05670000 | 0x0567ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05680000 | 0x059b6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7ec0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec10000 | 0x7ec10000 | 0x7ec32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec33000 | 0x7ec33000 | 0x7ec33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec38000 | 0x7ec38000 | 0x7ec3afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec3b000 | 0x7ec3b000 | 0x7ec3bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec3d000 | 0x7ec3d000 | 0x7ec3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0x300, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #175: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #175 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeThrottling start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x300 |
| Parent PID | 0xd84 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
65C
0x
D50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007b0000 | 0x007b0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00883fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00910000 | 0x009cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00a10000 | 0x00a21fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00c80000 | 0x00d5efff | Memory Mapped File | Readable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f56ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f592fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f594000 | 0x7f594000 | 0x7f594fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f597000 | 0x7f597000 | 0x7f599fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59a000 | 0x7f59a000 | 0x7f59afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f59d000 | 0x7f59d000 | 0x7f59ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #176: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #176 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeTransport start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd64 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B30
0x
D58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04431fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045d0000 | 0x0468dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x046cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0470ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ac0000 | 0x04ac0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04ad0000 | 0x04e06fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4a7000 | 0x7f4a7000 | 0x7f4a9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4aa000 | 0x7f4aa000 | 0x7f4aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ab000 | 0x7f4ab000 | 0x7f4abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ad000 | 0x7f4ad000 | 0x7f4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xd74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #178: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #178 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeTransport start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0xd64 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D60
0x
D7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00ba3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00c60000 | 0x00c71fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04ea0000 | 0x04f5dfff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x04f60000 | 0x0503efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0511ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ed6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed98000 | 0x7ed98000 | 0x7ed9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9b000 | 0x7ed9b000 | 0x7ed9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9e000 | 0x7ed9e000 | 0x7ed9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9f000 | 0x7ed9f000 | 0x7ed9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #179: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #179 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeTransportLogSearch start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D54
0x
DC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x047affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047b0000 | 0x047b0000 | 0x047bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047c0000 | 0x047c0000 | 0x047c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047e0000 | 0x047e0000 | 0x047f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0483ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004840000 | 0x04840000 | 0x0493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004940000 | 0x04940000 | 0x04943fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004950000 | 0x04950000 | 0x04950fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x04961fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04970000 | 0x04a2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04d50000 | 0x05086fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb50000 | 0x7eb50000 | 0x7ec4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec50000 | 0x7ec50000 | 0x7ec72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec76000 | 0x7ec76000 | 0x7ec78fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec79000 | 0x7ec79000 | 0x7ec79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec7c000 | 0x7ec7c000 | 0x7ec7efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec7f000 | 0x7ec7f000 | 0x7ec7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xda4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #181: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #181 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeTransportLogSearch start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda4 |
| Parent PID | 0xdcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD0
0x
DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000790000 | 0x00790000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x0079ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008e0000 | 0x0099dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x009e0000 | 0x009f1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00b10000 | 0x00beefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f43ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f440000 | 0x7f440000 | 0x7f462fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f467000 | 0x7f467000 | 0x7f469fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f46a000 | 0x7f46a000 | 0x7f46afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f46c000 | 0x7f46c000 | 0x7f46efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f46f000 | 0x7f46f000 | 0x7f46ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #182: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #182 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c sc config MSExchangeADTopology start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC8
0x
DA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x04daffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004db0000 | 0x04db0000 | 0x04dbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04df3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f70000 | 0x0502dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005060000 | 0x05060000 | 0x0509ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0531ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053f0000 | 0x053f0000 | 0x053fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05400000 | 0x05736fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea70000 | 0x7ea70000 | 0x7eb6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb70000 | 0x7eb70000 | 0x7eb92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb97000 | 0x7eb97000 | 0x7eb99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb9a000 | 0x7eb9a000 | 0x7eb9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb9c000 | 0x7eb9c000 | 0x7eb9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb9f000 | 0x7eb9f000 | 0x7eb9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\sc.exe | os_pid = 0xcc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000424 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #184: sc.exe
6
0
| Information | Value |
|---|---|
| ID | #184 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MSExchangeADTopology start= disabled |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc4 |
| Parent PID | 0xdd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
224
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00163fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0x00210000 | 0x00221fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00250000 | 0x0030dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x00420000 | 0x004fefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x00e80000 | 0x00e91fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x04e9ffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f7dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7e0000 | 0x7f7e0000 | 0x7f802fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f805000 | 0x7f805000 | 0x7f805fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f807000 | 0x7f807000 | 0x7f809fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f80a000 | 0x7f80a000 | 0x7f80cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f80d000 | 0x7f80d000 | 0x7f80dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\sc.exe | base_address = 0xe80000 |
|
1 |
Service (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #185: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #185 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeAB |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
394
0x
E08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x049bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049c0000 | 0x049c0000 | 0x049cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x049d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049f0000 | 0x049f0000 | 0x04a03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b71fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04b80000 | 0x04c3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x0500ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05010000 | 0x05346fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f330000 | 0x7f330000 | 0x7f42ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f454000 | 0x7f454000 | 0x7f454fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f457000 | 0x7f457000 | 0x7f459fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45a000 | 0x7f45a000 | 0x7f45cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45d000 | 0x7f45d000 | 0x7f45dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 40, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xde0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #187: net.exe
0
0
| Information | Value |
|---|---|
| ID | #187 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeAB |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xde0 |
| Parent PID | 0xdb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF0
0x
E0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000e0000 | 0x000e0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00101fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00123fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | Readable, Writable |
|
|
|
- |
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0423ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x0439ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x044fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eda0000 | 0x7eda0000 | 0x7edc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edc5000 | 0x7edc5000 | 0x7edc5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edcc000 | 0x7edcc000 | 0x7edcefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edcf000 | 0x7edcf000 | 0x7edcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #188: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #188 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeAB |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0xde0 (c:\windows\syswow64\net1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D34
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01001fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01003fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01023fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01073fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005140000 | 0x05140000 | 0x05140fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x05151fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05160000 | 0x0521dfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll | 0x05220000 | 0x05222fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x0525ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0529ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x0531ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x05320000 | 0x05351fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000053d0000 | 0x053d0000 | 0x053dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x054dffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f650000 | 0x7f650000 | 0x7f74ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f750000 | 0x7f750000 | 0x7f772fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f777000 | 0x7f777000 | 0x7f779fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f77a000 | 0x7f77a000 | 0x7f77afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f77c000 | 0x7f77c000 | 0x7f77efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f77f000 | 0x7f77f000 | 0x7f77ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x5220000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #189: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #189 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeAntispamUpdate |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x210 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D18
0x
E4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000d0000 | 0x000d0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00113fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00263fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00281fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00290000 | 0x0034dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x0478ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04790000 | 0x04ac6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f330000 | 0x7f330000 | 0x7f42ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f458000 | 0x7f458000 | 0x7f45afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45b000 | 0x7f45b000 | 0x7f45dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45e000 | 0x7f45e000 | 0x7f45efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45f000 | 0x7f45f000 | 0x7f45ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 208, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xe48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #191: net.exe
0
0
| Information | Value |
|---|---|
| ID | #191 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeAntispamUpdate |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe48 |
| Parent PID | 0x210 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
718
0x
27C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x047fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0481ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x04821fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004830000 | 0x04830000 | 0x04843fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004850000 | 0x04850000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004910000 | 0x04910000 | 0x04913fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004920000 | 0x04920000 | 0x04920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004930000 | 0x04930000 | 0x04931fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049d0000 | 0x049d0000 | 0x04acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f00b000 | 0x7f00b000 | 0x7f00dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00e000 | 0x7f00e000 | 0x7f00efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00f000 | 0x7f00f000 | 0x7f00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #192: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #192 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeAntispamUpdate |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2ec |
| Parent PID | 0xe48 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C8
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00083fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00153fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x001c0000 | 0x001c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00310000 | 0x003cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00490000 | 0x004c1fff | Memory Mapped File | Readable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e8affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e8b0000 | 0x7e8b0000 | 0x7e8d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e8d7000 | 0x7e8d7000 | 0x7e8d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8da000 | 0x7e8da000 | 0x7e8dafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8dc000 | 0x7e8dc000 | 0x7e8dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8dd000 | 0x7e8dd000 | 0x7e8dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x1c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #193: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #193 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeEdgeSync |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x420 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x0475ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0477ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004760000 | 0x04760000 | 0x0476ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x04773fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04780fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x04783fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004790000 | 0x04790000 | 0x047a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x047effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x048effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048f0000 | 0x048f0000 | 0x048f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004900000 | 0x04900000 | 0x04900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04911fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04920000 | 0x049ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x04a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04d50000 | 0x05086fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e8cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e8f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e8f7000 | 0x7e8f7000 | 0x7e8f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8fa000 | 0x7e8fa000 | 0x7e8fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8fc000 | 0x7e8fc000 | 0x7e8fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8ff000 | 0x7e8ff000 | 0x7e8fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xe28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #195: net.exe
0
0
| Information | Value |
|---|---|
| ID | #195 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeEdgeSync |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe28 |
| Parent PID | 0x420 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E6C
0x
E7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x049effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000049f0000 | 0x049f0000 | 0x04a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a20000 | 0x04a20000 | 0x04a33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04afffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004b10000 | 0x04b10000 | 0x04b10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f4a0000 | 0x7f4a0000 | 0x7f4c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4cb000 | 0x7f4cb000 | 0x7f4cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ce000 | 0x7f4ce000 | 0x7f4cefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4cf000 | 0x7f4cf000 | 0x7f4cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #196: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #196 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeEdgeSync |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe80 |
| Parent PID | 0xe28 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E8C
0x
E70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d90000 | 0x00d90000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec1fff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00ed0000 | 0x00ed2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x01030000 | 0x01061fff | Memory Mapped File | Readable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x050c0000 | 0x0517dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x051fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052b0000 | 0x052b0000 | 0x052bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005410000 | 0x05410000 | 0x0541ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7ec7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7eca2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eca5000 | 0x7eca5000 | 0x7eca5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eca6000 | 0x7eca6000 | 0x7eca6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecaa000 | 0x7ecaa000 | 0x7ecacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecad000 | 0x7ecad000 | 0x7ecaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xed0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #197: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #197 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeFDS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe84 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x04bdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004be0000 | 0x04be0000 | 0x04beffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c10000 | 0x04c10000 | 0x04c23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d70000 | 0x04d70000 | 0x04d73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04da0000 | 0x04e5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x051bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052d0000 | 0x052d0000 | 0x052dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x052e0000 | 0x05616fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9c0000 | 0x7e9c0000 | 0x7eabffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7eae2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eae6000 | 0x7eae6000 | 0x7eae8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eae9000 | 0x7eae9000 | 0x7eaebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaec000 | 0x7eaec000 | 0x7eaecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaef000 | 0x7eaef000 | 0x7eaeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xed4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #199: net.exe
0
0
| Information | Value |
|---|---|
| ID | #199 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeFDS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xe84 (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC4
0x
EDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x047cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x0485ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x048dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048e0000 | 0x048e0000 | 0x048e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000048f0000 | 0x048f0000 | 0x048f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04901fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a30000 | 0x04a30000 | 0x04b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ebe7000 | 0x7ebe7000 | 0x7ebe7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebeb000 | 0x7ebeb000 | 0x7ebedfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebee000 | 0x7ebee000 | 0x7ebeefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #200: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #200 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeFDS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed8 |
| Parent PID | 0xed4 (c:\windows\syswow64\wbem\wmic.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EBC
0x
EE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00613fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00770000 | 0x00772fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x00780000 | 0x007b1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00900000 | 0x009bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f820000 | 0x7f820000 | 0x7f91ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f943000 | 0x7f943000 | 0x7f943fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f948000 | 0x7f948000 | 0x7f94afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f94b000 | 0x7f94b000 | 0x7f94bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f94d000 | 0x7f94d000 | 0x7f94ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x770000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #201: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #201 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeFBA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe74 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F1C
0x
F0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00243fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x0452ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0456ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04570000 | 0x0462dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0466ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004670000 | 0x04670000 | 0x0476ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x047effff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x047f0000 | 0x04b26fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f260000 | 0x7f260000 | 0x7f35ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f360000 | 0x7f360000 | 0x7f382fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f388000 | 0x7f388000 | 0x7f38afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f38b000 | 0x7f38b000 | 0x7f38dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f38e000 | 0x7f38e000 | 0x7f38efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f38f000 | 0x7f38f000 | 0x7f38ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xeb8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #203: net.exe
0
0
| Information | Value |
|---|---|
| ID | #203 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeFBA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb8 |
| Parent PID | 0xe74 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F10
0x
F14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x048affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x048d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048e0000 | 0x048e0000 | 0x048f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x0493ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x049bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000049c0000 | 0x049c0000 | 0x049c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000049d0000 | 0x049d0000 | 0x049d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000049e0000 | 0x049e0000 | 0x049e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f760000 | 0x7f760000 | 0x7f782fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f787000 | 0x7f787000 | 0x7f787fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f78b000 | 0x7f78b000 | 0x7f78dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f78e000 | 0x7f78e000 | 0x7f78efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #204: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #204 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeFBA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xec0 |
| Parent PID | 0xeb8 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EFC
0x
F18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00aa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00d20000 | 0x00d22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00d70000 | 0x00da1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f740000 | 0x7f740000 | 0x7f83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f840000 | 0x7f840000 | 0x7f862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f865000 | 0x7f865000 | 0x7f865fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f868000 | 0x7f868000 | 0x7f868fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f86a000 | 0x7f86a000 | 0x7f86cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f86d000 | 0x7f86d000 | 0x7f86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xd20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #205: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #205 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeImap4 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef8 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F44
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x049fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a00000 | 0x04a00000 | 0x04a0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04a13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a30000 | 0x04a30000 | 0x04a43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a90000 | 0x04a90000 | 0x04b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04b93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04c10000 | 0x04ccdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0510ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05110000 | 0x05446fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e640000 | 0x7e640000 | 0x7e73ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e762fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e767000 | 0x7e767000 | 0x7e769fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e76a000 | 0x7e76a000 | 0x7e76cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e76d000 | 0x7e76d000 | 0x7e76dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e76f000 | 0x7e76f000 | 0x7e76ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 17, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xef4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #207: net.exe
0
0
| Information | Value |
|---|---|
| ID | #207 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeImap4 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef4 |
| Parent PID | 0xef8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EEC
0x
F34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x04f1ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005030000 | 0x05030000 | 0x05033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005040000 | 0x05040000 | 0x05040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x05051fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007edd0000 | 0x7edd0000 | 0x7edf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edf3000 | 0x7edf3000 | 0x7edf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edf5000 | 0x7edf5000 | 0x7edf5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edfd000 | 0x7edfd000 | 0x7edfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #208: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #208 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeImap4 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf24 |
| Parent PID | 0xef4 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E20
0x
F3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000420000 | 0x00420000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x0042ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00433fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00463fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00533fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00551fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x005a0000 | 0x005a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005e0000 | 0x0069dfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll.mui | 0x006a0000 | 0x006d1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9a0000 | 0x7e9a0000 | 0x7ea9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eac7000 | 0x7eac7000 | 0x7eac7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eac9000 | 0x7eac9000 | 0x7eacbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eacc000 | 0x7eacc000 | 0x7eaccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x5a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #209: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #209 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeIS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe34 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F48
0x
A7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x048effff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048f0000 | 0x048f0000 | 0x048fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x04903fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04910fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04913fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004920000 | 0x04920000 | 0x04933fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004940000 | 0x04940000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04a83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04b60000 | 0x04c1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fc0000 | 0x04fc0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04fd0000 | 0x05306fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f1cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f1f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1f5000 | 0x7f1f5000 | 0x7f1f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1f8000 | 0x7f1f8000 | 0x7f1fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1fb000 | 0x7f1fb000 | 0x7f1fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1fd000 | 0x7f1fd000 | 0x7f1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 176, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x524, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #211: net.exe
0
0
| Information | Value |
|---|---|
| ID | #211 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeIS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x524 |
| Parent PID | 0xe34 (c:\windows\syswow64\wbem\wmic.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A78
0x
A60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0462ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04651fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004660000 | 0x04660000 | 0x04673fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004740000 | 0x04740000 | 0x04743fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004750000 | 0x04750000 | 0x04750fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x04761fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x0491ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f188000 | 0x7f188000 | 0x7f188fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18c000 | 0x7f18c000 | 0x7f18cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18d000 | 0x7f18d000 | 0x7f18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #212: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #212 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeIS |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf20 |
| Parent PID | 0x524 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A5C
0x
F38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000770000 | 0x00770000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0077ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00883fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008b0000 | 0x0096dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x009b0000 | 0x009b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x009c0000 | 0x009f1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea00000 | 0x7ea00000 | 0x7eafffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb00000 | 0x7eb00000 | 0x7eb22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb28000 | 0x7eb28000 | 0x7eb28fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb29000 | 0x7eb29000 | 0x7eb2bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb2c000 | 0x7eb2c000 | 0x7eb2efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb2f000 | 0x7eb2f000 | 0x7eb2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x9b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #213: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #213 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeMailSubmission |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x854 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F28
0x
928
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x04dbffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04e03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f60000 | 0x04f60000 | 0x04f60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x04f71fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f80000 | 0x0503dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0507ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005150000 | 0x05150000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052e0000 | 0x052e0000 | 0x053dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000054f0000 | 0x054f0000 | 0x054fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05500000 | 0x05836fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e990000 | 0x7e990000 | 0x7ea8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea90000 | 0x7ea90000 | 0x7eab2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eab7000 | 0x7eab7000 | 0x7eab9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaba000 | 0x7eaba000 | 0x7eabafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eabc000 | 0x7eabc000 | 0x7eabefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eabf000 | 0x7eabf000 | 0x7eabffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 184, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x9a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #215: net.exe
0
0
| Information | Value |
|---|---|
| ID | #215 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeMailSubmission |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a0 |
| Parent PID | 0x854 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
948
0x
560
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0443ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0445ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x04461fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004470000 | 0x04470000 | 0x04483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x044cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x0454ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004550000 | 0x04550000 | 0x04553fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004560000 | 0x04560000 | 0x04560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x04571fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ecc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ecca000 | 0x7ecca000 | 0x7eccafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eccc000 | 0x7eccc000 | 0x7eccefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eccf000 | 0x7eccf000 | 0x7eccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #216: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #216 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeMailSubmission |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9f4 |
| Parent PID | 0x9a0 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
910
0x
52C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c20000 | 0x00c20000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00da0000 | 0x00da2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00dd0000 | 0x00e8dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00f10000 | 0x00f41fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0537ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f5effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f5f0000 | 0x7f5f0000 | 0x7f612fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f615000 | 0x7f615000 | 0x7f615fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f617000 | 0x7f617000 | 0x7f619fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f61a000 | 0x7f61a000 | 0x7f61afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f61d000 | 0x7f61d000 | 0x7f61ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xda0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #217: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #217 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeMailboxAssistants |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x824 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BFC
0x
A84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x04d2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04d43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d60000 | 0x04d60000 | 0x04d73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d80000 | 0x04d80000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ec0000 | 0x04ec0000 | 0x04ec3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004ed0000 | 0x04ed0000 | 0x04ed0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04ee1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x050d0000 | 0x0518dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005190000 | 0x05190000 | 0x0528ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005470000 | 0x05470000 | 0x0547ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05480000 | 0x057b6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ef1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef20000 | 0x7ef20000 | 0x7ef42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef45000 | 0x7ef45000 | 0x7ef45fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef49000 | 0x7ef49000 | 0x7ef4bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef4c000 | 0x7ef4c000 | 0x7ef4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef4f000 | 0x7ef4f000 | 0x7ef4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xa94, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #219: net.exe
0
0
| Information | Value |
|---|---|
| ID | #219 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeMailboxAssistants |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa94 |
| Parent PID | 0x824 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA0
0x
F80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000090000 | 0x00090000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0423ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e420000 | 0x7e420000 | 0x7e442fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e444000 | 0x7e444000 | 0x7e444fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e44c000 | 0x7e44c000 | 0x7e44efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e44f000 | 0x7e44f000 | 0x7e44ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #220: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #220 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeMailboxAssistants |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf70 |
| Parent PID | 0xa94 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F58
0x
F7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00603fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00613fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00633fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00703fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00721fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00770000 | 0x00772fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x00780000 | 0x007b1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x007d0000 | 0x0088dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e4e0000 | 0x7e4e0000 | 0x7e5dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e602fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e605000 | 0x7e605000 | 0x7e607fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e608000 | 0x7e608000 | 0x7e608fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e60b000 | 0x7e60b000 | 0x7e60dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e60e000 | 0x7e60e000 | 0x7e60efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x770000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #221: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #221 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeMailboxReplication |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf68 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F78
0x
FB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x04410000 | 0x044cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046f0000 | 0x046f0000 | 0x047effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000048f0000 | 0x048f0000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04900000 | 0x04c36fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e490000 | 0x7e490000 | 0x7e58ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e590000 | 0x7e590000 | 0x7e5b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e5b3000 | 0x7e5b3000 | 0x7e5b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5b9000 | 0x7e5b9000 | 0x7e5bbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5bc000 | 0x7e5bc000 | 0x7e5befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5bf000 | 0x7e5bf000 | 0x7e5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xf54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #223: net.exe
0
0
| Information | Value |
|---|---|
| ID | #223 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeMailboxReplication |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf54 |
| Parent PID | 0xf68 (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FA8
0x
FB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x04c2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c50000 | 0x04c50000 | 0x04c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cc0000 | 0x04cc0000 | 0x04d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d50000 | 0x04d50000 | 0x04d50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d61fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3c0000 | 0x7f3c0000 | 0x7f3e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f3e3000 | 0x7f3e3000 | 0x7f3e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3ec000 | 0x7f3ec000 | 0x7f3eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3ef000 | 0x7f3ef000 | 0x7f3effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #224: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #224 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeMailboxReplication |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf6c |
| Parent PID | 0xf54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F5C
0x
F94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0052ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00543fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00563fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00633fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00660000 | 0x0071dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00760000 | 0x00762fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00810000 | 0x00841fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f36ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f370000 | 0x7f370000 | 0x7f392fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f396000 | 0x7f396000 | 0x7f398fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f399000 | 0x7f399000 | 0x7f39bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f39c000 | 0x7f39c000 | 0x7f39cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f39f000 | 0x7f39f000 | 0x7f39ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x760000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #225: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #225 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeMonitoring |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FEC
0x
F90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x044fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x0451ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004500000 | 0x04500000 | 0x0450ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x04513fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04520fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x04523fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004530000 | 0x04530000 | 0x04543fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0458ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0468ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004690000 | 0x04690000 | 0x04693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000046a0000 | 0x046a0000 | 0x046a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x046c0000 | 0x0477dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004780000 | 0x04780000 | 0x047bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004800000 | 0x04800000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04caffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04cb0000 | 0x04fe6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e5e0000 | 0x7e5e0000 | 0x7e6dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e6e0000 | 0x7e6e0000 | 0x7e702fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e704000 | 0x7e704000 | 0x7e704fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e709000 | 0x7e709000 | 0x7e70bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e70c000 | 0x7e70c000 | 0x7e70efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e70f000 | 0x7e70f000 | 0x7e70ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xf9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #227: net.exe
0
0
| Information | Value |
|---|---|
| ID | #227 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeMonitoring |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf9c |
| Parent PID | 0xfa0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD0
0x
F88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x04deffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e20000 | 0x04e20000 | 0x04e33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04efffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x04f03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0517ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec60000 | 0x7ec60000 | 0x7ec82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec88000 | 0x7ec88000 | 0x7ec88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec89000 | 0x7ec89000 | 0x7ec89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec8d000 | 0x7ec8d000 | 0x7ec8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #228: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #228 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeMonitoring |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0xf9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FCC
0x
FFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d30000 | 0x00d30000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e70000 | 0x00f2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00ff0000 | 0x00ff2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x01030000 | 0x01061fff | Memory Mapped File | Readable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x051bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005260000 | 0x05260000 | 0x0535ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f76ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f770000 | 0x7f770000 | 0x7f792fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f796000 | 0x7f796000 | 0x7f796fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f798000 | 0x7f798000 | 0x7f798fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f79a000 | 0x7f79a000 | 0x7f79cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f79d000 | 0x7f79d000 | 0x7f79ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xff0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #229: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #229 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangePop3 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc0 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE4
0x
FE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x04daffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004db0000 | 0x04db0000 | 0x04dbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04dd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004de0000 | 0x04de0000 | 0x04df3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e40000 | 0x04e40000 | 0x04f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f40000 | 0x04f40000 | 0x04f43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004f50000 | 0x04f50000 | 0x04f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04f70000 | 0x0502dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005040000 | 0x05040000 | 0x0504ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0508ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000050b0000 | 0x050b0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x052affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005330000 | 0x05330000 | 0x0533ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05340000 | 0x05676fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f610000 | 0x7f610000 | 0x7f70ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f710000 | 0x7f710000 | 0x7f732fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f734000 | 0x7f734000 | 0x7f734fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f735000 | 0x7f735000 | 0x7f735fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f73a000 | 0x7f73a000 | 0x7f73cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f73d000 | 0x7f73d000 | 0x7f73ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 248, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x9cc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #231: net.exe
0
0
| Information | Value |
|---|---|
| ID | #231 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangePop3 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9cc |
| Parent PID | 0xfc0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF4
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x0486ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004870000 | 0x04870000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x04891fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000048a0000 | 0x048a0000 | 0x048b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048c0000 | 0x048c0000 | 0x048fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x0497ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004980000 | 0x04980000 | 0x04983fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004990000 | 0x04990000 | 0x04990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049c0000 | 0x049c0000 | 0x049cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f5c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f5c3000 | 0x7f5c3000 | 0x7f5c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5cc000 | 0x7f5cc000 | 0x7f5cefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5cf000 | 0x7f5cf000 | 0x7f5cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #232: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #232 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangePop3 |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf0 |
| Parent PID | 0x9cc (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
168
0x
C18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e30000 | 0x00e30000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f70000 | 0x0102dfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll | 0x01030000 | 0x01032fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x051fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005200000 | 0x05200000 | 0x0527ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x05280000 | 0x052b1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005310000 | 0x05310000 | 0x0531ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1e0000 | 0x7f1e0000 | 0x7f2dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2e0000 | 0x7f2e0000 | 0x7f302fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f307000 | 0x7f307000 | 0x7f307fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f308000 | 0x7f308000 | 0x7f30afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f30b000 | 0x7f30b000 | 0x7f30bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f30d000 | 0x7f30d000 | 0x7f30ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x1030000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #233: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #233 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeProtectedServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FC4
0x
C64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x04413fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004430000 | 0x04430000 | 0x04443fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004450000 | 0x04450000 | 0x0448ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x0458ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004590000 | 0x04590000 | 0x04593fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045c0000 | 0x0467dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0479ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x0489ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x049fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04afffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04b00000 | 0x04e36fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7eaeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7eb12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb15000 | 0x7eb15000 | 0x7eb17fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb18000 | 0x7eb18000 | 0x7eb1afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb1b000 | 0x7eb1b000 | 0x7eb1bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb1e000 | 0x7eb1e000 | 0x7eb1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 104, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xc5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #235: net.exe
0
0
| Information | Value |
|---|---|
| ID | #235 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeProtectedServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc5c |
| Parent PID | 0x9ec (c:\windows\syswow64\wevtutil.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C40
0x
C54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x04aeffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b10000 | 0x04b10000 | 0x04b11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b20000 | 0x04b20000 | 0x04b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004c10000 | 0x04c10000 | 0x04c10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f149000 | 0x7f149000 | 0x7f149fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14c000 | 0x7f14c000 | 0x7f14efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14f000 | 0x7f14f000 | 0x7f14ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #236: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #236 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeProtectedServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc4c |
| Parent PID | 0xc5c (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF0
0x
C30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004e0000 | 0x004e0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00501fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00503fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00523fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00620000 | 0x006ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x006f0000 | 0x006f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x008d0000 | 0x00901fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f5affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f5b0000 | 0x7f5b0000 | 0x7f5d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f5d8000 | 0x7f5d8000 | 0x7f5dafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5db000 | 0x7f5db000 | 0x7f5dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5dc000 | 0x7f5dc000 | 0x7f5defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5df000 | 0x7f5df000 | 0x7f5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x6f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #237: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #237 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeRepl |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C38
0x
C24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x0441ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004420000 | 0x04420000 | 0x0442ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x04443fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004450000 | 0x04450000 | 0x04463fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004470000 | 0x04470000 | 0x044affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044b0000 | 0x044b0000 | 0x045affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045c0000 | 0x045c0000 | 0x045c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x045d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x045f0000 | 0x046adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004810000 | 0x04810000 | 0x0490ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a80000 | 0x04a80000 | 0x04a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a90000 | 0x04dc6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f2a0000 | 0x7f2a0000 | 0x7f39ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f3c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f3c3000 | 0x7f3c3000 | 0x7f3c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3c7000 | 0x7f3c7000 | 0x7f3c9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3ca000 | 0x7f3ca000 | 0x7f3ccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3cd000 | 0x7f3cd000 | 0x7f3cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 17, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xc20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #239: net.exe
0
0
| Information | Value |
|---|---|
| ID | #239 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeRepl |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc20 |
| Parent PID | 0xc1c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1F4
0x
C78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x04fdffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x04ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005000000 | 0x05000000 | 0x05001fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05023fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005030000 | 0x05030000 | 0x0506ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050f0000 | 0x050f0000 | 0x050f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005100000 | 0x05100000 | 0x05100fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x05111fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005140000 | 0x05140000 | 0x0514ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0538ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f122fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f128000 | 0x7f128000 | 0x7f128fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f12c000 | 0x7f12c000 | 0x7f12efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f12f000 | 0x7f12f000 | 0x7f12ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #240: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #240 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeRepl |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc68 |
| Parent PID | 0xc20 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D08
0x
CA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e90000 | 0x00e90000 | 0x00eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x01010000 | 0x01012fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x01020000 | 0x01051fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| locale.nls | 0x050c0000 | 0x0517dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005180000 | 0x05180000 | 0x051fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x0533ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x0548ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e8fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e900000 | 0x7e900000 | 0x7e922fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e927000 | 0x7e927000 | 0x7e929fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e92a000 | 0x7e92a000 | 0x7e92afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e92b000 | 0x7e92b000 | 0x7e92bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e92d000 | 0x7e92d000 | 0x7e92ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x1010000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #241: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #241 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeRPC |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc9c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D00
0x
554
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x044cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000044d0000 | 0x044d0000 | 0x044effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044d0000 | 0x044d0000 | 0x044dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044e0000 | 0x044e0000 | 0x044e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004500000 | 0x04500000 | 0x04513fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004520000 | 0x04520000 | 0x0455ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004660000 | 0x04660000 | 0x04663fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004680000 | 0x04680000 | 0x04681fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046b0000 | 0x046b0000 | 0x046bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000046c0000 | 0x046c0000 | 0x046fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0484ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04850000 | 0x0490dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004910000 | 0x04910000 | 0x04a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04b10000 | 0x04e46fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea53000 | 0x7ea53000 | 0x7ea53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea56000 | 0x7ea56000 | 0x7ea56fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5a000 | 0x7ea5a000 | 0x7ea5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5d000 | 0x7ea5d000 | 0x7ea5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 51, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x9a4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #243: net.exe
0
0
| Information | Value |
|---|---|
| ID | #243 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeRPC |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0xc9c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C80
0x
C3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x042dffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x042fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x04301fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004310000 | 0x04310000 | 0x04323fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004330000 | 0x04330000 | 0x0436ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x043effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000043f0000 | 0x043f0000 | 0x043f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004400000 | 0x04400000 | 0x04400fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x04411fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004590000 | 0x04590000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004760000 | 0x04760000 | 0x0485ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7eca2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eca7000 | 0x7eca7000 | 0x7eca7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecaa000 | 0x7ecaa000 | 0x7ecacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecad000 | 0x7ecad000 | 0x7ecadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #244: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #244 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeRPC |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x390 |
| Parent PID | 0x9a4 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C44
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a50000 | 0x00a50000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b90000 | 0x00c4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00d20000 | 0x00d22fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x00d30000 | 0x00d61fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e5b0000 | 0x7e5b0000 | 0x7e6affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e6b0000 | 0x7e6b0000 | 0x7e6d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e6d3000 | 0x7e6d3000 | 0x7e6d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6d7000 | 0x7e6d7000 | 0x7e6d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6da000 | 0x7e6da000 | 0x7e6dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e6dd000 | 0x7e6dd000 | 0x7e6ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xd20000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #245: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #245 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x42c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB4
0x
E38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c60000 | 0x04c60000 | 0x04c6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c70000 | 0x04c70000 | 0x04c73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04ca3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004df0000 | 0x04df0000 | 0x04df3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04e00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e10000 | 0x04e10000 | 0x04e11fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04e20000 | 0x04eddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x050affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0513ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005170000 | 0x05170000 | 0x0526ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05270000 | 0x055a6fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e9cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e9d0000 | 0x7e9d0000 | 0x7e9f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e9f6000 | 0x7e9f6000 | 0x7e9f6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9f7000 | 0x7e9f7000 | 0x7e9f7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9fa000 | 0x7e9fa000 | 0x7e9fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9fd000 | 0x7e9fd000 | 0x7e9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 72, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xd0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #247: net.exe
0
0
| Information | Value |
|---|---|
| ID | #247 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd0c |
| Parent PID | 0x42c (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E24
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x04d6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04d91fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004da0000 | 0x04da0000 | 0x04db3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004dc0000 | 0x04dc0000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x04e83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x04e90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04ea1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f10000 | 0x04f10000 | 0x04f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005080000 | 0x05080000 | 0x0517ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f090000 | 0x7f090000 | 0x7f0b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0b8000 | 0x7f0b8000 | 0x7f0b8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0b9000 | 0x7f0b9000 | 0x7f0b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0bd000 | 0x7f0bd000 | 0x7f0bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #248: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #248 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x310 |
| Parent PID | 0xd0c (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E2C
0x
E98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c50000 | 0x00c50000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00d90000 | 0x00d92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ed0000 | 0x00f8dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0104ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| netmsg.dll.mui | 0x050c0000 | 0x050f1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000051a0000 | 0x051a0000 | 0x051affff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ed6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed95000 | 0x7ed95000 | 0x7ed95fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed97000 | 0x7ed97000 | 0x7ed99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9a000 | 0x7ed9a000 | 0x7ed9cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9d000 | 0x7ed9d000 | 0x7ed9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xd90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #249: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #249 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop wsbexchange |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe30 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CD4
0x
C48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x04b5ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04b83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04ba3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bf0000 | 0x04bf0000 | 0x04ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004cf0000 | 0x04cf0000 | 0x04cf3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d11fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04d20000 | 0x04dddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ff0000 | 0x04ff0000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x050f0000 | 0x05426fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e826000 | 0x7e826000 | 0x7e826fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e827000 | 0x7e827000 | 0x7e827fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xc50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #251: net.exe
0
0
| Information | Value |
|---|---|
| ID | #251 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop wsbexchange |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0xe30 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
CD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x04caffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004cd0000 | 0x04cd0000 | 0x04cd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ce0000 | 0x04ce0000 | 0x04cf3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d40000 | 0x04d40000 | 0x04dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004dc0000 | 0x04dc0000 | 0x04dc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004dd0000 | 0x04dd0000 | 0x04dd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04de1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0511ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ed42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed49000 | 0x7ed49000 | 0x7ed49fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed4b000 | 0x7ed4b000 | 0x7ed4dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed4e000 | 0x7ed4e000 | 0x7ed4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #252: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #252 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop wsbexchange |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x77c |
| Parent PID | 0xc50 (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CBC
0x
CC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e40000 | 0x00e40000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00fc0000 | 0x00fc2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x01010000 | 0x01041fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005130000 | 0x05130000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x05230000 | 0x052edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000052f0000 | 0x052f0000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f020000 | 0x7f020000 | 0x7f11ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f120000 | 0x7f120000 | 0x7f142fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f143000 | 0x7f143000 | 0x7f143fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f147000 | 0x7f147000 | 0x7f149fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14a000 | 0x7f14a000 | 0x7f14cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f14d000 | 0x7f14d000 | 0x7f14dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xfc0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #253: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #253 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd1c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C74
0x
D40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0454ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0456ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004550000 | 0x04550000 | 0x0455ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004560000 | 0x04560000 | 0x04563fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x04570fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004570000 | 0x04570000 | 0x04573fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004580000 | 0x04580000 | 0x04593fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045a0000 | 0x045a0000 | 0x045dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x046dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000046e0000 | 0x046e0000 | 0x046e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000046f0000 | 0x046f0000 | 0x046f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x04701fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04710000 | 0x047cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x0480ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x0498ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04c10000 | 0x04f46fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7ec7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7eca2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eca7000 | 0x7eca7000 | 0x7eca7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eca9000 | 0x7eca9000 | 0x7eca9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecaa000 | 0x7ecaa000 | 0x7ecacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecad000 | 0x7ecad000 | 0x7ecaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x594, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #255: net.exe
0
0
| Information | Value |
|---|---|
| ID | #255 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x594 |
| Parent PID | 0xd1c (c:\windows\syswow64\sc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C6C
0x
D24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0436ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x0438ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x04391fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000043a0000 | 0x043a0000 | 0x043b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x04490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eba0000 | 0x7eba0000 | 0x7ebc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ebcb000 | 0x7ebcb000 | 0x7ebcdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebce000 | 0x7ebce000 | 0x7ebcefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebcf000 | 0x7ebcf000 | 0x7ebcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #256: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #256 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeServiceHost |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd30 |
| Parent PID | 0x594 (c:\windows\syswow64\wbem\wmic.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CCC
0x
CB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x002e0000 | 0x002e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x002f0000 | 0x00321fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00360000 | 0x0041dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ed9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eda0000 | 0x7eda0000 | 0x7edc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edc8000 | 0x7edc8000 | 0x7edc8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edc9000 | 0x7edc9000 | 0x7edcbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edcc000 | 0x7edcc000 | 0x7edcefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edcf000 | 0x7edcf000 | 0x7edcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x2e0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #257: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #257 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeSA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd5c |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
D70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x04b2ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004b30000 | 0x04b30000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b50000 | 0x04b50000 | 0x04b53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004b60000 | 0x04b60000 | 0x04b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004b80000 | 0x04b80000 | 0x04bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x04cc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004cd0000 | 0x04cd0000 | 0x04cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ce1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04cf0000 | 0x04dadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fd0000 | 0x04fd0000 | 0x050cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x050d0000 | 0x05406fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7ebeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebf0000 | 0x7ebf0000 | 0x7ec12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec17000 | 0x7ec17000 | 0x7ec19fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec1a000 | 0x7ec1a000 | 0x7ec1afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec1c000 | 0x7ec1c000 | 0x7ec1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec1f000 | 0x7ec1f000 | 0x7ec1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x454, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #259: net.exe
0
0
| Information | Value |
|---|---|
| ID | #259 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeSA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x454 |
| Parent PID | 0xd5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
834
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0474ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0476ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004770000 | 0x04770000 | 0x04771fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004780000 | 0x04780000 | 0x04793fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047a0000 | 0x047a0000 | 0x047dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x0485ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004860000 | 0x04860000 | 0x04863fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004870000 | 0x04870000 | 0x04870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x04881fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004960000 | 0x04960000 | 0x0496ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a50000 | 0x04a50000 | 0x04b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f412fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f418000 | 0x7f418000 | 0x7f418fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f41b000 | 0x7f41b000 | 0x7f41dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f41e000 | 0x7f41e000 | 0x7f41efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #260: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #260 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeSA |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0x454 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D78
0x
D44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c50000 | 0x00c50000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00d90000 | 0x00e4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00f10000 | 0x00f12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00f40000 | 0x00f71fff | Memory Mapped File | Readable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005240000 | 0x05240000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f79ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7a0000 | 0x7f7a0000 | 0x7f7c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7c6000 | 0x7f7c6000 | 0x7f7c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7c8000 | 0x7f7c8000 | 0x7f7cafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7cb000 | 0x7f7cb000 | 0x7f7cbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7cd000 | 0x7f7cd000 | 0x7f7cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xf10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #261: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #261 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeThrottling |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x764 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D38
0x
300
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x046fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x0471ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004700000 | 0x04700000 | 0x0470ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004710000 | 0x04710000 | 0x04713fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x04720fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004720000 | 0x04720000 | 0x04723fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004730000 | 0x04730000 | 0x04743fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x0478ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004790000 | 0x04790000 | 0x0488ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004890000 | 0x04890000 | 0x04893fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000048a0000 | 0x048a0000 | 0x048a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000048b0000 | 0x048b0000 | 0x048b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x048c0000 | 0x0497dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x049bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b60000 | 0x04b60000 | 0x04c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c60000 | 0x04c60000 | 0x04d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04edffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04ee0000 | 0x05216fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f4fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f500000 | 0x7f500000 | 0x7f522fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f523000 | 0x7f523000 | 0x7f523fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f528000 | 0x7f528000 | 0x7f52afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f52b000 | 0x7f52b000 | 0x7f52dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f52e000 | 0x7f52e000 | 0x7f52efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xd90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #263: net.exe
0
0
| Information | Value |
|---|---|
| ID | #263 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeThrottling |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd90 |
| Parent PID | 0x764 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5C0
0x
D84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x043cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x043effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000043f0000 | 0x043f0000 | 0x043f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004400000 | 0x04400000 | 0x04413fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0445ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x044dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000044e0000 | 0x044e0000 | 0x044e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x04501fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004510000 | 0x04510000 | 0x0451ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f110000 | 0x7f110000 | 0x7f132fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f134000 | 0x7f134000 | 0x7f134fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f13a000 | 0x7f13a000 | 0x7f13afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f13d000 | 0x7f13d000 | 0x7f13ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #264: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #264 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeThrottling |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x53c |
| Parent PID | 0xd90 (c:\windows\syswow64\net1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8F8
0x
DAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x001a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00273fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00291fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x0035dfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll | 0x00360000 | 0x00362fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00440000 | 0x00471fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e690000 | 0x7e690000 | 0x7e78ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e790000 | 0x7e790000 | 0x7e7b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7b8000 | 0x7e7b8000 | 0x7e7b8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7b9000 | 0x7e7b9000 | 0x7e7bbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7bc000 | 0x7e7bc000 | 0x7e7befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7bf000 | 0x7e7bf000 | 0x7e7bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0x360000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #265: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #265 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeTransport |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd60 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D7C
0x
DB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x04edffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04efffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004ee0000 | 0x04ee0000 | 0x04eeffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04ef3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f03fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004f10000 | 0x04f10000 | 0x04f23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f70000 | 0x04f70000 | 0x0506ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005070000 | 0x05070000 | 0x05073fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000005080000 | 0x05080000 | 0x05080fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000005090000 | 0x05090000 | 0x05091fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x050a0000 | 0x0515dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0519ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005220000 | 0x05220000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000052c0000 | 0x052c0000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005300000 | 0x05300000 | 0x053fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005400000 | 0x05400000 | 0x054fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x05500000 | 0x05836fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f52ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f530000 | 0x7f530000 | 0x7f552fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f555000 | 0x7f555000 | 0x7f557fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f558000 | 0x7f558000 | 0x7f55afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f55b000 | 0x7f55b000 | 0x7f55bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f55d000 | 0x7f55d000 | 0x7f55dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xda0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #267: net.exe
0
0
| Information | Value |
|---|---|
| ID | #267 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeTransport |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda0 |
| Parent PID | 0xd60 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D54
0x
DA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0436ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x0438ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x04391fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000043a0000 | 0x043a0000 | 0x043b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000043c0000 | 0x043c0000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0447ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x04490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x044a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045b0000 | 0x045b0000 | 0x045bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x046effff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e480000 | 0x7e480000 | 0x7e4a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e4a6000 | 0x7e4a6000 | 0x7e4a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4a7000 | 0x7e4a7000 | 0x7e4a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4ad000 | 0x7e4ad000 | 0x7e4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #268: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #268 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeTransport |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0xda0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC4
0x
DBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00ab3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00c00000 | 0x00c02fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netmsg.dll.mui | 0x00c10000 | 0x00c41fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00d60000 | 0x00e1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000052a0000 | 0x052a0000 | 0x052affff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eed0000 | 0x7eed0000 | 0x7efcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7eff2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eff4000 | 0x7eff4000 | 0x7eff6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eff7000 | 0x7eff7000 | 0x7eff7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007effa000 | 0x7effa000 | 0x7effcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007effd000 | 0x7effd000 | 0x7effdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xc00000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #269: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #269 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeTransportLogSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
224
0x
DA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x047cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x047effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000047d0000 | 0x047d0000 | 0x047dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047e0000 | 0x047e0000 | 0x047e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x047f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004820000 | 0x04820000 | 0x0485ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004860000 | 0x04860000 | 0x0495ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004960000 | 0x04960000 | 0x04963fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004970000 | 0x04970000 | 0x04970fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04981fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04990000 | 0x04a4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a70000 | 0x04a70000 | 0x04aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004b20000 | 0x04b20000 | 0x04c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f00000 | 0x04f00000 | 0x04f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04f10000 | 0x05246fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7f05ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f082fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f084000 | 0x7f084000 | 0x7f084fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f088000 | 0x7f088000 | 0x7f088fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f08a000 | 0x7f08a000 | 0x7f08cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f08d000 | 0x7f08d000 | 0x7f08ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 20, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0xdd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #271: net.exe
0
0
| Information | Value |
|---|---|
| ID | #271 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeTransportLogSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0xbf4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE8
0x
D10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x04f8ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004fb0000 | 0x04fb0000 | 0x04fb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004fc0000 | 0x04fc0000 | 0x04fd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005020000 | 0x05020000 | 0x0509ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000050a0000 | 0x050a0000 | 0x050a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000050b0000 | 0x050b0000 | 0x050b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000050c0000 | 0x050c0000 | 0x050c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005270000 | 0x05270000 | 0x0527ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000053c0000 | 0x053c0000 | 0x054bffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e650000 | 0x7e650000 | 0x7e672fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e673000 | 0x7e673000 | 0x7e673fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e67c000 | 0x7e67c000 | 0x7e67cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e67d000 | 0x7e67d000 | 0x7e67ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #272: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #272 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeTransportLogSearch |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb08 |
| Parent PID | 0xdd4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D34
0x
DF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00933fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00a70000 | 0x00a72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll.mui | 0x00be0000 | 0x00c11fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7efbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7efe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efe5000 | 0x7efe5000 | 0x7efe5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe8000 | 0x7efe8000 | 0x7efe8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efea000 | 0x7efea000 | 0x7efecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efed000 | 0x7efed000 | 0x7efeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xa70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #273: cmd.exe
54
0
| Information | Value |
|---|---|
| ID | #273 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c net stop MSExchangeADTopology" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0xb54 (c:\users\ciihmnxmn6ps\desktop\scvhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
DB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x003c0000 | 0x0040ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004430000 | 0x04430000 | 0x04433fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000044a0000 | 0x044a0000 | 0x0459ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000045a0000 | 0x045a0000 | 0x045a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000045b0000 | 0x045b0000 | 0x045b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000045c0000 | 0x045c0000 | 0x045c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045e0000 | 0x045e0000 | 0x045effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x0462ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004630000 | 0x04630000 | 0x0472ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x04730000 | 0x047edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000047f0000 | 0x047f0000 | 0x048effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x04a50000 | 0x04d86fff | Memory Mapped File | Readable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7eadffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb05000 | 0x7eb05000 | 0x7eb07fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb08000 | 0x7eb08000 | 0x7eb08fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb0a000 | 0x7eb0a000 | 0x7eb0cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb0d000 | 0x7eb0d000 | 0x7eb0dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 200, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\net.exe | os_pid = 0x354, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x77670000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x776b2780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x7768fa80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x7768a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76a835c0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #275: net.exe
0
0
| Information | Value |
|---|---|
| ID | #275 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MSExchangeADTopology" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x354 |
| Parent PID | 0xe10 (c:\windows\syswow64\net1.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
0x
B00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| net.exe | 0x00220000 | 0x00239fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x04d4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d70000 | 0x04d70000 | 0x04d71fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004d80000 | 0x04d80000 | 0x04d93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e60000 | 0x04e60000 | 0x04e63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004e70000 | 0x04e70000 | 0x04e70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000004e80000 | 0x04e80000 | 0x04e81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x0504ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005050000 | 0x05050000 | 0x0505ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7ea62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea64000 | 0x7ea64000 | 0x7ea64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea6a000 | 0x7ea6a000 | 0x7ea6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea6d000 | 0x7ea6d000 | 0x7ea6dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #276: net1.exe
17
0
| Information | Value |
|---|---|
| ID | #276 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MSExchangeADTopology" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c8 |
| Parent PID | 0x354 (c:\windows\syswow64\net.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
908
0x
718
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000af0000 | 0x00af0000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b13fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| netmsg.dll | 0x00c70000 | 0x00c72fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00cc0000 | 0x00d7dfff | Memory Mapped File | Readable |
|
|
|
- |
| netmsg.dll.mui | 0x00d80000 | 0x00db1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| net1.exe | 0x01080000 | 0x010b1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x050bffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000005280000 | 0x05280000 | 0x0528ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64.dll | 0x59300000 | 0x5934efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x59350000 | 0x59357fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x59360000 | 0x593d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| logoncli.dll | 0x74a00000 | 0x74a2efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dsrole.dll | 0x74a30000 | 0x74a37fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| browcli.dll | 0x74a40000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| samcli.dll | 0x74a50000 | 0x74a63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74ac0000 | 0x74ac9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74ad0000 | 0x74aebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x74af0000 | 0x74b0afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74b10000 | 0x74b1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74ce0000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74d40000 | 0x74d49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74d50000 | 0x74d6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76970000 | 0x76ae5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x77250000 | 0x77292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x77670000 | 0x7775ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77a10000 | 0x77acdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77af0000 | 0x77b9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1a0000 | 0x7f1a0000 | 0x7f29ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2a0000 | 0x7f2a0000 | 0x7f2c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f2c7000 | 0x7f2c7000 | 0x7f2c9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2ca000 | 0x7f2ca000 | 0x7f2ccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2cd000 | 0x7f2cd000 | 0x7f2cdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2ce000 | 0x7f2ce000 | 0x7f2cefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfc03e6ffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x00007dfc03e70000 | 0x7dfc03e70000 | 0x7ffc03e6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffc04032000 | 0x7ffc04032000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 30 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 2 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 52 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NETMSG | base_address = 0xc70000 |
|
1 | |
| Get Handle | c:\windows\syswow64\net1.exe | base_address = 0x1080000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\net1.exe, file_name_orig = C:\Windows\SysWOW64\net1.exe, size = 260 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Service Name | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Process #277: sc.exe
8
0
| Information | Value |
|---|---|
| ID | #277 |
| File Name | c:\windows\system32\sc.exe |
| Command Line | C:\Windows\system32\sc.exe start wuauserv |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:24, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb08 |
| Parent PID | 0x378 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
DC8
0x
908
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000cbc7590000 | 0xcbc7590000 | 0xcbc75affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000cbc7590000 | 0xcbc7590000 | 0xcbc759ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x000000cbc75a0000 | 0xcbc75a0000 | 0xcbc75a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000cbc75b0000 | 0xcbc75b0000 | 0xcbc75c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000cbc75d0000 | 0xcbc75d0000 | 0xcbc764ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000cbc7650000 | 0xcbc7650000 | 0xcbc7653fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000cbc7660000 | 0xcbc7660000 | 0xcbc7660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000cbc7670000 | 0xcbc7670000 | 0xcbc7671fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0xcbc7680000 | 0xcbc773dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000cbc7740000 | 0xcbc7740000 | 0xcbc77bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000cbc77c0000 | 0xcbc77c0000 | 0xcbc77c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000cbc77d0000 | 0xcbc77d0000 | 0xcbc78cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe.mui | 0xcbc78d0000 | 0xcbc78e1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000cbc79b0000 | 0xcbc79b0000 | 0xcbc79bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff330000 | 0x7df5ff330000 | 0x7ff5ff32ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7f8010000 | 0x7ff7f8010000 | 0x7ff7f810ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7f8110000 | 0x7ff7f8110000 | 0x7ff7f8132fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7f813b000 | 0x7ff7f813b000 | 0x7ff7f813cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7f813d000 | 0x7ff7f813d000 | 0x7ff7f813efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7f813f000 | 0x7ff7f813f000 | 0x7ff7f813ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sc.exe | 0x7ff7f8280000 | 0x7ff7f8295fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 425 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\sc.exe | base_address = 0x7ff7f8280000 |
|
1 |
Service (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | service_name = wuauserv |
|
1 | |
| Open | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| Start | service_name = wuauserv |
|
1 |
Process #280: services.exe
0
0
| Information | Value |
|---|---|
| ID | #280 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:39, Reason: Created Daemon |
| Unmonitor | End Time: 00:01:36, Reason: Terminated by Timeout |
| Monitor Duration | 23:58:57 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1e4 |
| Parent PID | 0x194 (c:\windows\system32\wininit.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
36C
0x
358
0x
33C
0x
30C
0x
308
0x
294
0x
260
0x
240
0x
238
0x
C50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4161d0000 | 0xa4161d0000 | 0xa4161dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| services.exe.mui | 0xa4161e0000 | 0xa4161e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x000000a4161f0000 | 0xa4161f0000 | 0xa416203fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000a416210000 | 0xa416210000 | 0xa416213fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000a416290000 | 0xa416290000 | 0xa416293fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000a4162a0000 | 0xa4162a0000 | 0xa4162a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0xa4162b0000 | 0xa41636dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x000000a416370000 | 0xa416370000 | 0xa416370fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a4163d0000 | 0xa4163d0000 | 0xa4163d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416400000 | 0xa416400000 | 0xa4164fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416580000 | 0xa416580000 | 0xa4165fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416600000 | 0xa416600000 | 0xa41667ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416680000 | 0xa416680000 | 0xa4166fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416750000 | 0xa416750000 | 0xa416756fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416760000 | 0xa416760000 | 0xa4167dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416800000 | 0xa416800000 | 0xa4168fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416900000 | 0xa416900000 | 0xa41697ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416980000 | 0xa416980000 | 0xa4169fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416a00000 | 0xa416a00000 | 0xa416a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b00000 | 0xa416b00000 | 0xa416b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416b80000 | 0xa416b80000 | 0xa416bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000a416c00000 | 0xa416c00000 | 0xa416cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007df5ff8b0000 | 0x7df5ff8b0000 | 0x7ff5ff8affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff64fbc4000 | 0x7ff64fbc4000 | 0x7ff64fbc5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbc6000 | 0x7ff64fbc6000 | 0x7ff64fbc7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbca000 | 0x7ff64fbca000 | 0x7ff64fbcbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbcc000 | 0x7ff64fbcc000 | 0x7ff64fbcdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fbce000 | 0x7ff64fbce000 | 0x7ff64fbcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00007ff64fbd0000 | 0x7ff64fbd0000 | 0x7ff64fccffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff64fcd0000 | 0x7ff64fcd0000 | 0x7ff64fcf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff64fcf3000 | 0x7ff64fcf3000 | 0x7ff64fcf4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf5000 | 0x7ff64fcf5000 | 0x7ff64fcf5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf6000 | 0x7ff64fcf6000 | 0x7ff64fcf7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcf8000 | 0x7ff64fcf8000 | 0x7ff64fcf9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff64fcfa000 | 0x7ff64fcfa000 | 0x7ff64fcfbfff | Private Memory | Readable, Writable |
|
|
|
- |
| services.exe | 0x7ff650490000 | 0x7ff6504fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usermgrcli.dll | 0x7ffbfd180000 | 0x7ffbfd18ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| authz.dll | 0x7ffbff9b0000 | 0x7ffbff9f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| scesrv.dll | 0x7ffbffa00000 | 0x7ffbffa8dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7ffbffb00000 | 0x7ffbffb25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x7ffc00110000 | 0x7ffc0016cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7ffc004c0000 | 0x7ffc004ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| spinf.dll | 0x7ffc00670000 | 0x7ffc0068afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| eventaggregation.dll | 0x7ffc00690000 | 0x7ffc006a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dabapi.dll | 0x7ffc006b0000 | 0x7ffc006b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7ffc008f0000 | 0x7ffc00902fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x7ffc02050000 | 0x7ffc02057fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x7ffc03980000 | 0x7ffc039e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Process #294: sppsvc.exe
11
0
| Information | Value |
|---|---|
| ID | #294 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Initial Working Directory | C:\Windows |
| Monitor | Start Time: 00:02:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Terminated by Timeout |
| Monitor Duration | 23:59:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe5c |
| Parent PID | 0x1e4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DC0
0x
FAC
0x
674
0x
E64
0x
E60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x0000003255980000 | 0x3255980000 | 0x3255986fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003255990000 | 0x3255990000 | 0x325599ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000032559a0000 | 0x32559a0000 | 0x32559b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000032559c0000 | 0x32559c0000 | 0x3255a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255a40000 | 0x3255a40000 | 0x3255a46fff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe.mui | 0x3255a50000 | 0x3255a55fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003255a60000 | 0x3255a60000 | 0x3255a60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255a70000 | 0x3255a70000 | 0x3255a70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255a80000 | 0x3255a80000 | 0x3255a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255a90000 | 0x3255a90000 | 0x3255a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255ab0000 | 0x3255ab0000 | 0x3255baffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x3255bb0000 | 0x3255c6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000003255c70000 | 0x3255c70000 | 0x3255ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255cf0000 | 0x3255cf0000 | 0x3255d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003255d80000 | 0x3255d80000 | 0x3255d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000003255d90000 | 0x3255d90000 | 0x3255f17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000003255f20000 | 0x3255f20000 | 0x32560a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000032560b0000 | 0x32560b0000 | 0x325616ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000003256170000 | 0x3256170000 | 0x325626ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000003256270000 | 0x3256270000 | 0x32562effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000032562f0000 | 0x32562f0000 | 0x325636ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x3256370000 | 0x32566a6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00007df5ff820000 | 0x7df5ff820000 | 0x7ff5ff81ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x00007ff7cd930000 | 0x7ff7cd930000 | 0x7ff7cda2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00007ff7cda30000 | 0x7ff7cda30000 | 0x7ff7cda52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00007ff7cda55000 | 0x7ff7cda55000 | 0x7ff7cda56fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7cda57000 | 0x7ff7cda57000 | 0x7ff7cda57fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7cda58000 | 0x7ff7cda58000 | 0x7ff7cda59fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7cda5a000 | 0x7ff7cda5a000 | 0x7ff7cda5bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7cda5c000 | 0x7ff7cda5c000 | 0x7ff7cda5dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00007ff7cda5e000 | 0x7ff7cda5e000 | 0x7ff7cda5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sppsvc.exe | 0x7ff7ce090000 | 0x7ff7ce6bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clipc.dll | 0x7ffbeb200000 | 0x7ffbeb215fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptxml.dll | 0x7ffbeb220000 | 0x7ffbeb241fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| webservices.dll | 0x7ffbeb630000 | 0x7ffbeb7aafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| xmllite.dll | 0x7ffbfbe40000 | 0x7ffbfbe75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7ffbffdc0000 | 0x7ffbffdf2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7ffc00170000 | 0x7ffc00186fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7ffc002e0000 | 0x7ffc002eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x7ffc006c0000 | 0x7ffc006e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x7ffc006f0000 | 0x7ffc0075afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x7ffc00910000 | 0x7ffc0091efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x7ffc00920000 | 0x7ffc00930fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x7ffc01190000 | 0x7ffc01350fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7ffc01360000 | 0x7ffc0153cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7ffc01640000 | 0x7ffc016e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x7ffc018a0000 | 0x7ffc01b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7ffc01dd0000 | 0x7ffc01ef5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x7ffc01f00000 | 0x7ffc0204dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7ffc02060000 | 0x7ffc020fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7ffc02100000 | 0x7ffc0215afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7ffc037f0000 | 0x7ffc03974fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7ffc03bb0000 | 0x7ffc03cf0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7ffc03d00000 | 0x7ffc03dbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x7ffc03dc0000 | 0x7ffc03e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x7ffc03e70000 | 0x7ffc04031fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\spp\store\2.0\data.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
2 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\spp\store\2.0\data.dat | type = size, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\spp\store\2.0\data.dat | size = 31360, size_out = 31360 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-15 00:10:35 (UTC) |
|
1 |
