fb4077e5ef55027b2972e94fe54eca985dfb933702f09a640a799f31b2181834 (SHA256)
clifind.log.exe
Windows Exe (x86-32)
Created at 2018-11-14 12:09:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: clifind.log.exe
1423
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\clifind.log.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:07, Reason: Self Terminated |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf04 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F08
0x
F0C
0x
F10
0x
FE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| display.pnf | 0x00060000 | 0x00061fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | rw |
|
|
|
- |
| clifind.log.exe | 0x00400000 | 0x00449fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x00490000 | 0x00491fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004acfff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004c5fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x0203ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02040000 | 0x02376fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x0247ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0253ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0283ffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x740b0000 | 0x740f3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74100000 | 0x74118fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74120000 | 0x7414efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74150000 | 0x74162fff | Memory Mapped File | rwx |
|
|
|
- |
| dciman32.dll | 0x74170000 | 0x74176fff | Memory Mapped File | rwx |
|
|
|
- |
| ddraw.dll | 0x74180000 | 0x7426afff | Memory Mapped File | rwx |
|
|
|
- |
| glu32.dll | 0x74270000 | 0x74294fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x742a0000 | 0x742c0fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x742d0000 | 0x742f2fff | Memory Mapped File | rwx |
|
|
|
- |
| opengl32.dll | 0x74300000 | 0x743dffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x743e0000 | 0x746a0fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x746b0000 | 0x746cafff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x746d0000 | 0x74722fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x74730000 | 0x74747fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74750000 | 0x748affff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748b0000 | 0x748b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x748c0000 | 0x74ae3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74af0000 | 0x74b81fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x74b90000 | 0x74bf6fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fe4d000 | 0x7fe4d000 | 0x7fe4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fe50000 | 0x7fe50000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (770)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10 | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10 | desired_access = GENERIC_READ |
|
6 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Open | - | - |
|
498 | |
| Read | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | size = 64, size_out = 64 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | size = 20, size_out = 20 |
|
1 | |
| Delete | _U_clifind.log.exe | - |
|
1 |
Registry (18)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\Description\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\Description\System | value_name = VideoBiosVersion, data = 0 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
2 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\explorer.exe | os_pid = 0xc34, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Get Info | C:\Windows\SysWOW64\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\ciihmnxmn6ps\desktop\clifind.log.exe | os_tid = 0xfe4 |
|
1 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Protect | C:\Windows\SysWOW64\explorer.exe | address = 0xa6dea0, protection = PAGE_EXECUTE_READWRITE, size = 684 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0x7f503008, size = 4 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0x9d0000, size = 4096 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0x9d00e8, size = 4096 |
|
1 | |
| Write | C:\Windows\SysWOW64\explorer.exe | address = 0xa6dea0, size = 684 |
|
1 |
Module (79)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NTDLL | base_address = 0x77ca0000 |
|
10 | |
| Load | ntdll | base_address = 0x77ca0000 |
|
1 | |
| Load | user32 | base_address = 0x77150000 |
|
1 | |
| Load | Psapi | base_address = 0x773d0000 |
|
1 | |
| Load | winsta.dll | base_address = 0x740b0000 |
|
1 | |
| Load | gdi32 | base_address = 0x77000000 |
|
1 | |
| Load | advapi32 | base_address = 0x76a10000 |
|
1 | |
| Load | shlwapi | base_address = 0x77290000 |
|
1 | |
| Load | shell32 | base_address = 0x75430000 |
|
1 | |
| Load | ole32 | base_address = 0x768b0000 |
|
1 | |
| Load | api-ms-win-core-com-l1-1-0 | base_address = 0x76e40000 |
|
2 | |
| Load | oleaut32 | base_address = 0x76c90000 |
|
1 | |
| Load | version | base_address = 0x748b0000 |
|
1 | |
| Load | crypt32 | base_address = 0x77ab0000 |
|
1 | |
| Load | setupapi | base_address = 0x76a90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
12 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\clifind.log.exe | base_address = 0x400000 |
|
2 | |
| Get Handle | sbiedll.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\clifind.log.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe, size = 260 |
|
3 | |
| Get Filename | sbiedll.dll | process_name = c:\users\ciihmnxmn6ps\desktop\clifind.log.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe, size = 501 |
|
1 | |
| Get Filename | sbiedll.dll | process_name = c:\users\ciihmnxmn6ps\desktop\clifind.log.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe, size = 259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
8 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlReAllocateHeap, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlSizeHeap, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlExitUserThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlEnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateInstance, address_out = 0x76ee8200 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 65592 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\clifind.log.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_CODEPAGE, result_out = 437 |
|
1 |
System (525)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
8 | |
| Get Cursor | x_out = 1099, y_out = 854 |
|
2 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
249 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
11 | |
| Get Time | type = System Time, time = 2018-11-14 12:10:31 (UTC) |
|
249 | |
| Get Time | type = System Time, time = 2018-11-14 12:10:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 134906 |
|
1 | |
| Get Time | type = Ticks, time = 135437 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = Global\UzFCA0D558, desired_access = SYNCHRONIZE |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\ciihmnxmn6ps\desktop\clifind.log.exe | - |
|
1 |
Process #2: explorer.exe
349
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\explorer.exe |
| Command Line | C:\Windows\SysWOW64\explorer.exe |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:04:36, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc34 |
| Parent PID | 0xf04 (c:\users\ciihmnxmn6ps\desktop\clifind.log.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C60
0x
C30
0x
888
0x
CB0
0x
CFC
0x
CF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x0065ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x00670000 | 0x00677fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00693fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00732fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00760000 | 0x0081dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Private Memory | rw |
|
|
|
- |
| explorer.exe | 0x009d0000 | 0x00da6fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x04daffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004df0000 | 0x04df0000 | 0x04e2ffff | Private Memory | rw |
|
|
|
- |
| display.pnf | 0x04e30000 | 0x04e31fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004e30000 | 0x04e30000 | 0x04e30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004e40000 | 0x04e40000 | 0x04e43fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004e50000 | 0x04e50000 | 0x04e60fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004e70000 | 0x04e70000 | 0x04eb3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ef0000 | 0x04ef0000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x05087fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x05210fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005220000 | 0x05220000 | 0x0661ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006620000 | 0x06620000 | 0x0665ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006660000 | 0x06660000 | 0x0669ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000066a0000 | 0x066a0000 | 0x06757fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000067a0000 | 0x067a0000 | 0x067affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x067b0000 | 0x06ae6fff | Memory Mapped File | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x73b20000 | 0x73b27fff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x73b30000 | 0x73b4cfff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x73b50000 | 0x73bcdfff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73bd0000 | 0x73bf0fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x73c00000 | 0x73c9bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x73ca0000 | 0x73eb2fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.dll | 0x73ec0000 | 0x73f58fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x73f60000 | 0x740a1fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x740b0000 | 0x740f3fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74100000 | 0x74118fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x742a0000 | 0x742c0fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x748b0000 | 0x748b7fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x748c0000 | 0x74ae3fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f3dd000 | 0x7f3dd000 | 0x7f3dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f3e0000 | 0x7f3e0000 | 0x7f4dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f4e0000 | 0x7f4e0000 | 0x7f502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f503000 | 0x7f503000 | 0x7f503fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f506000 | 0x7f506000 | 0x7f508fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f509000 | 0x7f509000 | 0x7f50bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50c000 | 0x7f50c000 | 0x7f50efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f50f000 | 0x7f50f000 | 0x7f50ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\clifind.log.exe | 0xfe4 | address = 0xa6dea0, size = 684 |
|
1 |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | type = size |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\clifind.log.exe | size = 276992, size_out = 276992 |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\137FBF1F\ | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 |
Module (115)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NTDLL | base_address = 0x77ca0000 |
|
20 | |
| Load | ntdll | base_address = 0x77ca0000 |
|
2 | |
| Load | user32 | base_address = 0x77150000 |
|
2 | |
| Load | Psapi | base_address = 0x773d0000 |
|
2 | |
| Load | winsta.dll | base_address = 0x740b0000 |
|
2 | |
| Load | gdi32 | base_address = 0x77000000 |
|
2 | |
| Load | advapi32 | base_address = 0x76a10000 |
|
2 | |
| Load | shlwapi | base_address = 0x77290000 |
|
2 | |
| Load | shell32 | base_address = 0x75430000 |
|
2 | |
| Load | ole32 | base_address = 0x768b0000 |
|
2 | |
| Load | api-ms-win-core-com-l1-1-0 | base_address = 0x76e40000 |
|
4 | |
| Load | oleaut32 | base_address = 0x76c90000 |
|
2 | |
| Load | version | base_address = 0x748b0000 |
|
2 | |
| Load | crypt32 | base_address = 0x77ab0000 |
|
2 | |
| Load | wsock32 | base_address = 0x73b20000 |
|
1 | |
| Load | ws2_32 | base_address = 0x769b0000 |
|
19 | |
| Load | wininet | base_address = 0x748c0000 |
|
1 | |
| Load | setupapi | base_address = 0x76a90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 1025 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlReAllocateHeap, address_out = 0x77cdbae0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77cdda90 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlSizeHeap, address_out = 0x77cf4f40 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlExitUserThread, address_out = 0x77d02570 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlEnterCriticalSection, address_out = 0x77ce5e80 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDeleteCriticalSection, address_out = 0x77cf9920 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 |
|
2 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateInstance, address_out = 0x76ee8200 |
|
2 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x769c12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x769c4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x769bce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x769c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x769c48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x769bd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x769b9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x769b9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x769c2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x769be0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x769c3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x769c4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x769c2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x769bda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x769dc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x769dc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x769c2e90 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = C16B7627891373F4, wndproc_parameter = 0 |
|
1 |
System (215)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
210 | |
| Get Time | type = System Time, time = 2018-11-14 12:10:46 (UTC) |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\UzFCA0D558 |
|
1 |
