Hancitor Malware | Grouped Behavior
Try VMRay Analyzer
| Host | Resolved to | Country | City | Protocol |
|---|---|---|---|---|
| foandrenla.com |
| Information | Value |
|---|---|
| ID / OS PID | #1 / 0x85c |
| OS Parent PID | 0x454 (c:\windows\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\program files (x86)\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Monitor | Start Time: 00:00:12, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:22, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:10 |
| OS Thread IDs |
#
1
0x 8D4
#
2
0x 8D0
#
3
0x 8CC
#
4
0x 8C8
#
5
0x 8C4
#
6
0x 8C0
#
7
0x 8BC
#
8
0x 8B8
#
9
0x 8B4
#
10
0x 8A8
#
11
0x 8A0
#
12
0x 89C
#
13
0x 860
#
14
0x 8D8
#
15
0x 8E4
#
16
0x 8E8
#
17
0x 8EC
#
18
0x 8F0
#
19
0x 96C
#
21
0x 9A0
#
81
0x 808
#
82
0x 7F4
#
83
0x B64 |
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\hjrd1k~1\appdata\local\temp\vbe\msforms.exd | 148.49 KB (152056 bytes) |
MD5:
3216ec2560c6583449f44e7dd9549b4b
SHA1: ccc83c8644eec8cf1bb6c0950dfb868d4f46b42c SHA256: 4851a74564adb270cbb68d67ab645ad18d1ba0921b2972372679352c09209192 |
|
|
| c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\forms\winword.box | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 73.00 KB (74752 bytes) |
MD5:
eeef5204913a313f64a2e06dea22b936
SHA1: 74a5c8175391184a5fd7b32dfde7b9a27386aadf SHA256: 927810b771a85383ab0679c559ef7544bb7666f60d84f8e180c405fda1659005 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | file_attributes = _O_RDWR, _O_CREAT, _O_EXCL |
|
1 | |
| WRITE | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | size = 74752 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | VBE7.DLL | base_address = 0x68370000 |
|
18 | |
| LOAD | C:\Windows\system32\advapi32.dll | base_address = 0x76470000 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\vfs\programfilescommonx86\microsoft shared\vba\vba7.1\vbeui.dll | function = _MsoMultiByteToWideChar@24, address = 0x67f3c669 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 528, address = 0x683f814d |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 617, address = 0x683f6997 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 619, address = 0x683f6a57 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 632, address = 0x683f63c4 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 614, address = 0x68540137 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 714, address = 0x68540476 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 673, address = 0x6857da54 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 713, address = 0x6857fe55 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 518, address = 0x683f5dcb |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 582, address = 0x6854010c |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 648, address = 0x68379630 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 583, address = 0x6853f896 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 585, address = 0x6853f68d |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 666, address = 0x683a5bc6 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 717, address = 0x6856f4a9 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 616, address = 0x683f46c2 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 587, address = 0x6853fc79 |
|
1 | |
| GET_PROC_ADDRESS | c:\program files (x86)\microsoft office\root\office16\gkword.dll | function = 626, address = 0x6856533a |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\advapi32.dll | function = DuplicateTokenEx, address = 0x7647ca24 |
|
1 |
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| CREATE | UserForm | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER |
|
1 | |
| CREATE | {172BDDF8-CEEA-11D1-8B05-00600806D9B6} | {0000011A-0000-0000-C000-000000000046} |
|
1 | ||
| CREATE | WinMGMTS | IClassFactory |
|
1 | ||
| CREATE | WbemLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| CREATE | WbemDefPath | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
5 | |
| QUERY | ITypeLib | new_interface = {CACC1E8A-622B-11D2-AA78-00C04F9901D2} |
|
4 | ||
| QUERY | ITypeLib | new_interface = {CACC1E84-622B-11D2-AA78-00C04F9901D2} |
|
14 | ||
| QUERY | ICreateTypeLib2 | new_interface = ITypeLib |
|
1 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E82-622B-11D2-AA78-00C04F9901D2} |
|
11 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E83-622B-11D2-AA78-00C04F9901D2} |
|
1 | ||
| QUERY | ITypeInfo | new_interface = ITypeInfo2 |
|
1 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E88-622B-11D2-AA78-00C04F9901D2} |
|
3 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E82-622B-11D2-AA78-00C04F9901D2} |
|
10 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E83-622B-11D2-AA78-00C04F9901D2} |
|
9 | ||
| QUERY | ITypeInfo | new_interface = ITypeInfo2 |
|
1 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E82-622B-11D2-AA78-00C04F9901D2} |
|
5 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E83-622B-11D2-AA78-00C04F9901D2} |
|
4 | ||
| QUERY | ITypeInfo | new_interface = ITypeInfo2 |
|
20 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E82-622B-11D2-AA78-00C04F9901D2} |
|
145 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E83-622B-11D2-AA78-00C04F9901D2} |
|
126 | ||
| QUERY | UserForm | IClassFactory | new_interface = IUnknown, |
|
1 | |
| QUERY | UserForm | IUnknown | new_interface = IDispatch |
|
3 | |
| QUERY | UserForm | IUnknown | new_interface = {468CFB80-B4F9-11CF-80DD-00AA00614895} |
|
1 | |
| QUERY | ITypeInfo | new_interface = {CACC1E88-622B-11D2-AA78-00C04F9901D2} |
|
3 | ||
| QUERY | ITypeInfo | new_interface = ITypeInfo2 |
|
2 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E89-622B-11D2-AA78-00C04F9901D2} |
|
2 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E88-622B-11D2-AA78-00C04F9901D2} |
|
2 | ||
| QUERY | ITypeInfo | new_interface = {CACC1E89-622B-11D2-AA78-00C04F9901D2} |
|
1 | ||
| QUERY | WinMGMTS | IClassFactory | new_interface = IParseDisplayName, |
|
1 | |
| QUERY | WbemLocator | IWbemServices | new_interface = IClientSecurity |
|
2 | |
| QUERY | WbemLocator | IUnknown | new_interface = IClientSecurity |
|
3 | |
| QUERY | WbemLocator | IUnknown | new_interface = IUnknown |
|
1 | |
| QUERY | WbemDefPath | IWbemPath | new_interface = IUnknown |
|
1 | |
| QUERY | UserForm | IUnknown | new_interface = {F27BE360-1B98-11CF-84FC-00AA00A71DCB} |
|
1 | |
| METHOD | ITypeLib | method = AddRef |
|
136 | ||
| METHOD | ITypeComp | method = AddRef |
|
10 | ||
| METHOD | ICreateTypeLib2 | method = SetGuid |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetLcid |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetLibFlags |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetVersion |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetName |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetDocString |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetHelpContext |
|
1 | ||
| METHOD | ICreateTypeLib2 | method = SetHelpFileName |
|
1 | ||
| METHOD | ITypeLib | method = RemoteGetTypeInfoCount |
|
1 | ||
| METHOD | ITypeLib | new_interface = ITypeInfo, method = GetTypeInfo |
|
292 | ||
| METHOD | ITypeInfo | method = RemoteGetTypeAttr |
|
284 | ||
| METHOD | ITypeInfo | method = LocalReleaseTypeAttr |
|
284 | ||
| METHOD | ITypeInfo | method = RemoteGetVarDesc |
|
199 | ||
| METHOD | ITypeInfo | method = RemoteGetNames |
|
199 | ||
| METHOD | ITypeInfo | method = GetMops |
|
199 | ||
| METHOD | ITypeInfo | method = RemoteGetDocumentation |
|
199 | ||
| METHOD | ITypeInfo | method = LocalReleaseVarDesc |
|
199 | ||
| METHOD | ITypeInfo | method = GetImplTypeFlags |
|
112 | ||
| METHOD | ICreateTypeLib2 | method = SaveAllChanges |
|
1 | ||
| METHOD | ITypeInfo | method = GetRefTypeOfImplType |
|
14 | ||
| METHOD | ITypeInfo | new_interface = ITypeInfo, method = GetRefTypeInfo |
|
15 | ||
| METHOD | ITypeInfo | method = RemoteGetTypeAttr |
|
17 | ||
| METHOD | ITypeInfo | method = LocalReleaseTypeAttr |
|
17 | ||
| METHOD | ITypeComp | method = RemoteBind |
|
571 | ||
| METHOD | ITypeInfo | method = AddRef |
|
15 | ||
| METHOD | ITypeInfo | new_interface = ITypeComp, method = GetTypeComp |
|
1 | ||
| METHOD | ITypeComp | method = AddRef |
|
7 | ||
| METHOD | ITypeComp | new_interface = ITypeInfo, method = RemoteBind |
|
1 | ||
| METHOD | ITypeInfo | method = GetFuncIndexOfMemId |
|
1 | ||
| METHOD | ITypeInfo | method = GetFuncCustData |
|
1 | ||
| METHOD | ITypeInfo | method = LocalReleaseFuncDesc |
|
1 | ||
| METHOD | ITypeComp | new_interface = ITypeInfo, method = RemoteBind |
|
21 | ||
| METHOD | ITypeInfo | new_interface = ITypeLib, method = RemoteGetContainingTypeLib |
|
3 | ||
| METHOD | ITypeLib | method = RemoteGetLibAttr |
|
3 | ||
| METHOD | ITypeLib | method = RemoteGetDocumentation |
|
3 | ||
| METHOD | ITypeLib | method = AddRef |
|
1 | ||
| METHOD | ITypeLib | method = LocalReleaseTLibAttr |
|
3 | ||
| METHOD | ITypeLib | method = RemoteGetLibAttr |
|
1 | ||
| METHOD | ITypeLib | method = RemoteGetDocumentation |
|
1 | ||
| METHOD | ITypeLib | method = AddRef |
|
1 | ||
| METHOD | ITypeLib | method = LocalReleaseTLibAttr |
|
1 | ||
| METHOD | ITypeInfo | new_interface = ITypeComp, method = GetTypeComp |
|
1 | ||
| METHOD | ITypeComp | method = AddRef |
|
148 | ||
| METHOD | ITypeComp | new_interface = ITypeInfo, method = RemoteBind |
|
2 | ||
| METHOD | ITypeInfo | method = RemoteGetTypeAttr |
|
2 | ||
| METHOD | ITypeInfo | method = LocalReleaseTypeAttr |
|
2 | ||
| METHOD | ITypeInfo | method = GetFuncIndexOfMemId |
|
1 | ||
| METHOD | ITypeInfo | method = GetFuncCustData |
|
1 | ||
| METHOD | ITypeInfo | method = LocalReleaseFuncDesc |
|
1 | ||
| METHOD | ITypeInfo | method = RemoteGetTypeAttr |
|
21 | ||
| METHOD | ITypeInfo | method = LocalReleaseTypeAttr |
|
21 | ||
| METHOD | ITypeInfo | method = GetFuncIndexOfMemId |
|
20 | ||
| METHOD | ITypeInfo | method = GetFuncCustData |
|
18 | ||
| METHOD | ITypeInfo | method = LocalReleaseFuncDesc |
|
18 | ||
| METHOD | ITypeInfo | new_interface = ITypeLib, method = RemoteGetContainingTypeLib |
|
87 | ||
| METHOD | ITypeInfo | method = RemoteGetDllEntry |
|
255 | ||
| METHOD | UserForm | IClassFactory | new_interface = IUnknown, method = CreateInstance |
|
1 | |
| METHOD | UserForm | IUnknown | method = AddRef |
|
3 | |
| METHOD | ITypeComp | method = RemoteBind |
|
6 | ||
| METHOD | ITypeInfo | method = GetParamCustData |
|
2 | ||
| METHOD | ITypeInfo | method = AddRef |
|
28 | ||
| METHOD | ITypeInfo | method = GetFuncIndexOfMemId |
|
1 | ||
| METHOD | ITypeInfo | method = GetFuncCustData |
|
1 | ||
| METHOD | ITypeInfo | method = LocalReleaseFuncDesc |
|
1 | ||
| METHOD | ITypeInfo | method = GetTypeKind |
|
1 | ||
| METHOD | ITypeInfo | method = LocalReleaseVarDesc |
|
2 | ||
| METHOD | ITypeInfo | new_interface = ITypeInfo, method = GetRefTypeInfo |
|
1 | ||
| METHOD | WinMGMTS | IClassFactory | new_interface = IParseDisplayName, method = CreateInstance |
|
1 | |
| METHOD | WinMGMTS | IParseDisplayName | new_interface = IMoniker, method = ParseDisplayName |
|
1 | |
| METHOD | WbemDefPath | IWbemPath | method = SetText |
|
4 | |
| METHOD | WbemDefPath | IWbemPath | method = GetNamespaceCount |
|
2 | |
| METHOD | WbemDefPath | IWbemPath | method = GetText |
|
4 | |
| METHOD | WbemDefPath | IWbemPath | method = GetInfo |
|
4 | |
| METHOD | WbemDefPath | IWbemPath | method = GetServer |
|
2 | |
| METHOD | WbemDefPath | IWbemPath | method = SetServer |
|
1 | |
| METHOD | WbemDefPath | IWbemPath | method = RemoveAllNamespaces |
|
1 | |
| METHOD | WbemDefPath | IWbemPath | method = GetNamespaceAt |
|
4 | |
| METHOD | WbemDefPath | IWbemPath | method = SetNamespaceAt |
|
2 | |
| METHOD | WbemLocator | IWbemLocator | new_interface = IWbemServices, method = ConnectServer |
|
1 | |
| METHOD | WbemLocator | IClientSecurity | method = QueryBlanket |
|
3 | |
| METHOD | WbemLocator | IClientSecurity | new_interface = IUnknown, method = CopyProxy |
|
1 | |
| METHOD | WbemLocator | IClientSecurity | method = SetBlanket |
|
1 | |
| METHOD | WbemLocator | IUnknown | method = AddRef |
|
7 | |
| METHOD | WbemDefPath | IWbemPath | method = AddRef |
|
1 | |
| METHOD | ITypeLib | new_interface = ITypeInfo, method = GetTypeInfoOfGuid |
|
7 | ||
| METHOD | ITypeInfo | method = LocalInvoke |
|
4 | ||
| METHOD | WbemLocator | IUnknown | new_interface = IWbemClassObject, method = GetObject |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = AddRef |
|
6 | |
| METHOD | WbemLocator | IWbemClassObject | method = Get |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = BeginMethodEnumeration |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = NextMethod |
|
6 | |
| METHOD | WbemLocator | IWbemClassObject | method = NextMethod |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = EndMethodEnumeration |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = GetMethod |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | new_interface = IWbemClassObject, method = GetMethod |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = AddRef |
|
2 | |
| METHOD | WbemLocator | IWbemClassObject | new_interface = IWbemClassObject, method = SpawnInstance |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = AddRef |
|
6 | |
| METHOD | WbemLocator | IWbemClassObject | method = Get |
|
4 | |
| METHOD | WbemLocator | IWbemClassObject | method = Put |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = EndEnumeration |
|
1 | |
| METHOD | ITypeInfo | new_interface = IWbemClassObject, method = LocalInvoke |
|
1 | ||
| METHOD | WbemLocator | IUnknown | new_interface = IWbemClassObject, method = ExecMethod |
|
1 | |
| METHOD | WbemLocator | IWbemClassObject | method = EndMethodEnumeration |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures |
|
1 | ||
| OPEN_KEY | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 |
|
1 | ||
| OPEN_KEY | HKEY_CLASSES_ROOT\Typelib |
|
1 | ||
| OPEN_KEY | HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
21 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting |
|
1 | ||
| READ_VALUE | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 | value_name = ThreadingModel, data_ident_out = 65 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = PropertiesWindow, data_ident_out = 90 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = MainWindow, data_ident_out = 116 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data_ident_out = 3 |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| SET_ATTRIBUTE |
|
2 | |||
| SET_ATTRIBUTE |
|
1 |
| Operation | Virtual Key Code | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| READ | VK_CANCEL | result_out = 0 |
|
17 |
| Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|
| SET_NAMED_PROPERTY | named_property = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #2 / 0x998 |
| OS Parent PID | 0x8f8 (c:\windows\system32\wbem\wmiprvse.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe |
| Command Line | "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" |
| Monitor | Start Time: 00:00:41, Reason: Modified File |
| Unmonitor | End Time: 00:01:00, Reason: Terminated |
| Monitor Duration | 00:00:19 |
| OS Thread IDs |
#
20
0x 99C |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\windows\system32\&hdgf$w#gsrghregrw | share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING |
|
1 | |
| OPEN | STD_INPUT_HANDLE |
|
1 | ||
| OPEN | STD_OUTPUT_HANDLE |
|
1 | ||
| OPEN | STD_ERROR_HANDLE |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe | os_tid = 0x9c8, os_pid = 0x9c4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
| Operation | Address | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| ALLOC | 0x400000 | process_name = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe, os_pid = 0x9c4, size = 24576, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE |
|
1 | |
| WRITE | 0x400000 | process_name = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe, os_pid = 0x9c4, size = 512 |
|
1 | |
| WRITE | 0x401000 | process_name = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe, os_pid = 0x9c4, size = 16384 |
|
1 | |
| WRITE | 0x405000 | process_name = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe, os_pid = 0x9c4, size = 512 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESUME | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_tid = 0x9c8, os_pid = 0x9c4 |
|
1 | |
| GET_CONTEXT | 0x9c8 |
|
1 | ||
| SET_CONTEXT | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_tid = 0x9c8, os_pid = 0x9c4 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | kernel32 | base_address = 0x76530000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
11 | |
| GET_HANDLE | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | base_address = 0x400000 |
|
999 | |
| GET_HANDLE | c:\windows\syswow64\ntdll.dll | base_address = 0x77b70000 |
|
1 | |
| UNMAP | C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe | os_pid = 0x9c4, base_address = 0x400000 |
|
1 | |
| GET_FILENAME | C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe |
|
2 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address = 0x76544f2b |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address = 0x76541252 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address = 0x76544208 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsFree, address = 0x7654359f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address = 0x77bb0fcb |
|
8 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address = 0x77ba9d35 |
|
3 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceFrequency, address = 0x765441f0 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address = 0x76541725 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address = 0x76562b34 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address = 0x77b8fc70 |
|
1 |
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CONTROL | control_code = 0x0 |
|
23586 |
| Information | Value |
|---|---|
| ID / OS PID | #3 / 0x9c4 |
| OS Parent PID | 0x998 (c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe |
| Command Line | "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe" |
| Monitor | Start Time: 00:00:59, Reason: Child Process |
| Unmonitor | End Time: 00:01:00, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
22
0x 9C8 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x00405fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| SortDefault.nls | 0x006d0000 | 0x0099efff | Memory Mapped File | Readable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 0x99c | address = 0x400000, size = 512 |
|
1 | |
| Modify Memory | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 0x99c | address = 0x401000, size = 16384 |
|
1 | |
| Modify Memory | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 0x99c | address = 0x405000, size = 512 |
|
1 | |
| Modify Control Flow | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 0x99c | os_thread_id = 0x9c8 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\SysWOW64\explorer.exe | os_tid = 0x9d4, os_pid = 0x9d0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| OPEN_TOKEN | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION |
|
1 | |
| GET_INFO | C:\Windows\SysWOW64\explorer.exe | os_pid = 0x9d0 |
|
1 |
| Operation | Address | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| READ | 0x7efde008 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0x9d0, size = 4 |
|
1 | |
| READ | 0x1a0000 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0x9d0, size = 1280 |
|
1 | |
| READ | 0x1a0000 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0x9d0, size = 2625536 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESUME | c:\windows\syswow64\explorer.exe | os_tid = 0x9d4, os_pid = 0x9d0 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | advapi32.dll | base_address = 0x76470000 |
|
1 | |
| CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 1638132, protection = PAGE_EXECUTE_READWRITE |
|
1 | ||
| MAP | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, address = 0xc30000 |
|
1 | |
| MAP | C:\Windows\SysWOW64\explorer.exe | os_pid = 0x9d0, address = 0x1a0000 |
|
1 | |
| UNMAP | C:\Windows\SysWOW64\explorer.exe | os_pid = 0x9d0, base_address = 0x1a0000 |
|
1 | |
| GET_FILENAME | C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\convincingly.exe |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #4 / 0x9d0 |
| OS Parent PID | 0x9c4 (c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\explorer.exe |
| Command Line | C:\Windows\SysWOW64\explorer.exe |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:07, Reason: Terminated |
| Monitor Duration | 00:00:07 |
| OS Thread IDs |
#
23
0x 9D4
#
47
0x B3C
#
48
0x B40
#
49
0x B44
#
50
0x B48
#
51
0x B4C |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
|
| explorer.exe | 0x001a0000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x00420fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x00440fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00450fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x00602fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000610000 | 0x00610000 | 0x00610fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000640000 | 0x00640000 | 0x00640fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x00661fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000690000 | 0x00690000 | 0x00817fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000820000 | 0x00820000 | 0x009a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x01daffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x021a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000021b0000 | 0x021b0000 | 0x0228efff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002290000 | 0x02290000 | 0x02291fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x022a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
|
| cversions.2.db | 0x022f0000 | 0x022f3fff | Memory Mapped File | Readable |
|
|
|
|
| {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db | 0x02300000 | 0x02320fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002330000 | 0x02330000 | 0x02330fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
|
| SortDefault.nls | 0x023c0000 | 0x0268efff | Memory Mapped File | Readable |
|
|
|
|
| {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db | 0x02690000 | 0x026bffff | Memory Mapped File | Readable |
|
|
|
|
| cversions.2.db | 0x026c0000 | 0x026c3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000026d0000 | 0x026d0000 | 0x026d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000026e0000 | 0x026e0000 | 0x0271ffff | Private Memory | Readable, Writable |
|
|
|
|
| {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | 0x02720000 | 0x02785fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000027e0000 | 0x027e0000 | 0x0281ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002820000 | 0x02820000 | 0x0285ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002880000 | 0x02880000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002940000 | 0x02940000 | 0x0297ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029a0000 | 0x029a0000 | 0x029dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029f0000 | 0x029f0000 | 0x02a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a30000 | 0x02a30000 | 0x02a6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000010000000 | 0x10000000 | 0x10014fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ExplorerFrame.dll | 0x67030000 | 0x6719efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dui70.dll | 0x67250000 | 0x67301fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| duser.dll | 0x675b0000 | 0x675defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x675f0000 | 0x67601fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x687e0000 | 0x68804fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x691d0000 | 0x691f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x69200000 | 0x692f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x69480000 | 0x69487fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| slc.dll | 0x70db0000 | 0x70db9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| GdiPlus.dll | 0x72c40000 | 0x72dcffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x72dd0000 | 0x72de2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x74d60000 | 0x74d6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75ad0000 | 0x75af6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x75be0000 | 0x75ddafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75f10000 | 0x7602cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76030000 | 0x7603bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x760f0000 | 0x76172fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x76200000 | 0x76211fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x763a0000 | 0x763d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76510000 | 0x76515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76640000 | 0x767dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x767e0000 | 0x768d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Wldap32.dll | 0x775c0000 | 0x77604fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x77630000 | 0x77765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x77b40000 | 0x77b44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | 0x9c8 | address = 0x1a0000, size = 2625536 |
|
1 |
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | 251.00 KB (257024 bytes) |
MD5:
0c0df0f05baea320fa301f34e256e08b
SHA1: 0af69a2dff3208af234b22f3b100363c0c29f9d7 SHA256: 9d6c3cc1138aabec66eabd13905c24170f7f1fe6d7aa5dd6bf51f1d3bf66f03d |
|
|
| c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | 251.00 KB (257024 bytes) |
MD5:
230c01bcc9b3ee3a62457f5273cb2659
SHA1: aea7dac045da8978dd72e80adfb6e50029eb5447 SHA256: 6edcf00bd139af3e079c4ec417af6d733bc7d55ae686fa77de2eb277c0ba7b55 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING |
|
1 | |
| CREATE | c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING |
|
1 | |
| COPY | c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | source_file_name = c:\windows\syswow64\dpx.dll, fail_if_exists = 0 |
|
1 | |
| READ | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | size = 74752 |
|
1 | |
| DELETE | c:\users\hjrd1koky ds8lujv\appdata\roaming\cabfile.cab |
|
2 | ||
| DELETE | c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | cmd.exe \c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" | os_tid = 0x9dc, os_pid = 0x9d8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers" | os_tid = 0x9fc, os_pid = 0x9f8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | cmd.exe \c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" | os_tid = 0xab0, os_pid = 0xaac, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | cmd.exe \c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" \extract:"C:\Windows\SysWOW64\drivers" | os_tid = 0xad0, os_pid = 0xacc, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | C:\Windows\SysWOW64\drivers\wusa.exe | operation = runas, show_window = SW_HIDE |
|
1 | |
| OPEN_TOKEN | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION |
|
2 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | advapi32.dll | base_address = 0x76470000 |
|
1 | |
| LOAD | shell32.dll | base_address = 0x76970000 |
|
1 | |
| LOAD | user32.dll | base_address = 0x75e10000 |
|
1 | |
| LOAD | urlmon.dll | base_address = 0x77630000 |
|
1 | |
| LOAD | wininet.dll | base_address = 0x767e0000 |
|
1 | |
| LOAD | crypt32.dll | base_address = 0x75f10000 |
|
1 | |
| LOAD | mpr.dll | base_address = 0x675f0000 |
|
1 | |
| LOAD | ole32.dll | base_address = 0x75880000 |
|
1 | |
| LOAD | ws2_32.dll | base_address = 0x763a0000 |
|
1 | |
| LOAD | psapi.dll | base_address = 0x77b40000 |
|
1 | |
| CREATE_MAPPING | c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | module_name = Nameless FileMapping, maximum_size = 257024, protection = PAGE_READWRITE |
|
1 | |
| MAP | c:\users\hjrd1koky ds8lujv\appdata\roaming\dpx.dll | process_name = c:\windows\syswow64\explorer.exe, os_pid = 0x9d0, module_name = Nameless FileMapping, desired_access = FILE_MAP_WRITE, file_offset = 0, address = 0x21b0000 |
|
1 | |
| UNMAP | c:\windows\syswow64\explorer.exe | os_pid = 0x9d0, base_address = 0x21b0000 |
|
1 | |
| GET_FILENAME | C:\Windows\SysWOW64\explorer.exe |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #5 / 0x9d8 |
| OS Parent PID | 0x9d0 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" |
| Monitor | Start Time: 00:01:00, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
24
0x 9DC |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000350000 | 0x00350000 | 0x004d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cmd.exe | 0x4a500000 | 0x4a54bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x675a0000 | 0x675a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\system32\makecab.exe | os_tid = 0x9f4, os_pid = 0x9f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0x9d8, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x4a500000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #6 / 0x9f0 |
| OS Parent PID | 0x9d8 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\makecab.exe |
| Command Line | makecab "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:01, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
25
0x 9F4 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
|
| makecab.exe | 0x00750000 | 0x0076afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x72df0000 | 0x72df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #7 / 0x9f8 |
| OS Parent PID | 0x9d0 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Terminated |
| Monitor Duration | 00:00:03 |
| OS Thread IDs |
#
26
0x 9FC
#
28
0x A18
#
29
0x A1C
#
31
0x A28 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.2.db | 0x001e0000 | 0x001e3fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| cversions.2.db | 0x00200000 | 0x00203fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db | 0x00250000 | 0x00270fff | Memory Mapped File | Readable |
|
|
|
|
| {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db | 0x00280000 | 0x002affff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
|
| {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | 0x00460000 | 0x004c5fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x006cefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x01e9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x021e2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| SortDefault.nls | 0x021f0000 | 0x024befff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000024c0000 | 0x024c0000 | 0x028b2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a00000 | 0x02a00000 | 0x02a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a40000 | 0x02a40000 | 0x02a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002be0000 | 0x02be0000 | 0x02cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002da0000 | 0x02da0000 | 0x02e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003070000 | 0x03070000 | 0x0316ffff | Private Memory | Readable, Writable |
|
|
|
|
| cmd.exe | 0x49dc0000 | 0x49e0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x675a0000 | 0x675a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x675f0000 | 0x67601fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x691d0000 | 0x691f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x69200000 | 0x692f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x74d60000 | 0x74d6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75ad0000 | 0x75af6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x75be0000 | 0x75ddafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75f10000 | 0x7602cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76030000 | 0x7603bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x760f0000 | 0x76172fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x76200000 | 0x76211fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76640000 | 0x767dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x767e0000 | 0x768d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Wldap32.dll | 0x775c0000 | 0x77604fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x77630000 | 0x77765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\windows\system32\wusa.exe | os_tid = 0x0, os_pid = 0x0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| CREATE | c:\windows\system32\wusa.exe | current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0x9f8, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | SHELL32.dll | base_address = 0x76970000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x49dc0000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address = 0x76991e46 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #8 / 0xa10 |
| OS Parent PID | 0x9f8 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
27
0x A14 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x00f50000 | 0x00f9ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #9 / 0xa20 |
| OS Parent PID | 0x9f8 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | "C:\windows\system32\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:02, Reason: Child Process |
| Unmonitor | End Time: 00:01:02, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
30
0x A24 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x00e10000 | 0x00e5ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #10 / 0xa98 |
| OS Parent PID | 0x9f8 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:04, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
32
0x A9C
#
33
0x AA0
#
34
0x AA4 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| wusa.exe.mui | 0x000b0000 | 0x000b2fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00160000 | 0x001c6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x0037efff | Pagefile Backed Memory | Readable |
|
|
|
|
| wusa.exe | 0x00390000 | 0x003dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001c30000 | 0x01c30000 | 0x01c6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01cdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d30000 | 0x01d30000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| SortDefault.nls | 0x01e10000 | 0x020defff | Memory Mapped File | Readable |
|
|
|
|
| StaticCache.dat | 0x020e0000 | 0x02a0ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002a10000 | 0x02a10000 | 0x02a8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b30000 | 0x02b30000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b90000 | 0x02b90000 | 0x02bcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x66e50000 | 0x66f3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpx.dll | 0x671b0000 | 0x671f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wdscore.dll | 0x67210000 | 0x67241fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x693b0000 | 0x693eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x693f0000 | 0x69405fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6f8d0000 | 0x6f8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x72dd0000 | 0x72de2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cabinet.dll | 0x75230000 | 0x75244fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #11 / 0xaac |
| OS Parent PID | 0x9d0 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" |
| Monitor | Start Time: 00:01:04, Reason: Child Process |
| Unmonitor | End Time: 00:01:05, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
35
0x AB0 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x003e0000 | 0x00446fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001b80000 | 0x01b80000 | 0x01ec2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cmd.exe | 0x4aae0000 | 0x4ab2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x675a0000 | 0x675a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\system32\makecab.exe | os_tid = 0xac8, os_pid = 0xac4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0xaac, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x4aae0000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #12 / 0xac4 |
| OS Parent PID | 0xaac (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\makecab.exe |
| Command Line | makecab "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\dpx.dll" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" |
| Monitor | Start Time: 00:01:04, Reason: Child Process |
| Unmonitor | End Time: 00:01:05, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
36
0x AC8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00727fff | Pagefile Backed Memory | Readable |
|
|
|
|
| makecab.exe | 0x00fe0000 | 0x00ffafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x72df0000 | 0x72df8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #13 / 0xacc |
| OS Parent PID | 0x9d0 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:05, Reason: Child Process |
| Unmonitor | End Time: 00:01:06, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
37
0x AD0
#
39
0x AEC
#
40
0x AF0
#
42
0x AFC
#
43
0x B00 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.2.db | 0x00330000 | 0x00333fff | Memory Mapped File | Readable |
|
|
|
|
| {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db | 0x00340000 | 0x00360fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001b90000 | 0x01b90000 | 0x01ed2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| SortDefault.nls | 0x01ee0000 | 0x021aefff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000021b0000 | 0x021b0000 | 0x0228efff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002290000 | 0x02290000 | 0x02290fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
|
| {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db | 0x022e0000 | 0x0230ffff | Memory Mapped File | Readable |
|
|
|
|
| cversions.2.db | 0x02310000 | 0x02313fff | Memory Mapped File | Readable |
|
|
|
|
| {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | 0x02320000 | 0x02385fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002390000 | 0x02390000 | 0x02782fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002790000 | 0x02790000 | 0x0288ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002890000 | 0x02890000 | 0x02890fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002950000 | 0x02950000 | 0x0298ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002990000 | 0x02990000 | 0x029cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a70000 | 0x02a70000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002dd0000 | 0x02dd0000 | 0x02ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030a0000 | 0x030a0000 | 0x0319ffff | Private Memory | Readable, Writable |
|
|
|
|
| cmd.exe | 0x4a9f0000 | 0x4aa3bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x675a0000 | 0x675a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x675f0000 | 0x67601fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x691d0000 | 0x691f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x69200000 | 0x692f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x74d60000 | 0x74d6afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75ad0000 | 0x75af6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x75be0000 | 0x75ddafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75f10000 | 0x7602cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76030000 | 0x7603bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x760f0000 | 0x76172fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x76200000 | 0x76211fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76640000 | 0x767dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x767e0000 | 0x768d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| Wldap32.dll | 0x775c0000 | 0x77604fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x77630000 | 0x77765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\windows\system32\wusa.exe | os_tid = 0x0, os_pid = 0x0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| CREATE | c:\windows\system32\wusa.exe | current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0xacc, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | SHELL32.dll | base_address = 0x76970000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x4a9f0000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address = 0x76991e46 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #14 / 0xae4 |
| OS Parent PID | 0xacc (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | c:\windows\system32\wusa "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:05, Reason: Child Process |
| Unmonitor | End Time: 00:01:05, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
38
0x AE8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x00a60000 | 0x00aaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #15 / 0xaf4 |
| OS Parent PID | 0xacc (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | "C:\windows\system32\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:05, Reason: Child Process |
| Unmonitor | End Time: 00:01:05, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
41
0x AF8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x00720000 | 0x0076ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #16 / 0xb28 |
| OS Parent PID | 0xacc (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\wusa.exe |
| Command Line | "C:\Windows\SysWOW64\wusa.exe" "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\cabfile.cab" /extract:"C:\Windows\SysWOW64\drivers" |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:06, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
44
0x B2C
#
45
0x B30
#
46
0x B34 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| wusa.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00177fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x0088efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x009d0000 | 0x00a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x01e1ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| SortDefault.nls | 0x01e20000 | 0x020eefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000020f0000 | 0x020f0000 | 0x021effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000021f0000 | 0x021f0000 | 0x021fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
|
| StaticCache.dat | 0x022e0000 | 0x02c0ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002c20000 | 0x02c20000 | 0x02c5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002d90000 | 0x02d90000 | 0x02dcffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x66f00000 | 0x66feafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wdscore.dll | 0x66ff0000 | 0x67021fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dpx.dll | 0x671b0000 | 0x671f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x693b0000 | 0x693eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x693f0000 | 0x69405fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6f8d0000 | 0x6f8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x72dd0000 | 0x72de2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cabinet.dll | 0x75230000 | 0x75244fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #17 / 0xb70 |
| OS Parent PID | 0x9d0 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\drivers\wusa.exe |
| Command Line | "C:\Windows\SysWOW64\drivers\wusa.exe" |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:01:14, Reason: Terminated |
| Monitor Duration | 00:00:08 |
| OS Thread IDs |
#
52
0x B74
#
55
0x B8C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
|
| wusa.exe | 0x00140000 | 0x0018ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000460000 | 0x00460000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| dpx.dll | 0x67200000 | 0x67241fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6f8d0000 | 0x6f8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x6f960000 | 0x6fafdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #18 / 0xb7c |
| OS Parent PID | 0xb70 (c:\windows\syswow64\drivers\wusa.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe |
| Command Line | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:01:14, Reason: Terminated |
| Monitor Duration | 00:00:07 |
| OS Thread IDs |
#
53
0x B80
#
54
0x B88 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\windows\system32\&hdgf$w#gsrghregrw | share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING |
|
1 | |
| OPEN | STD_INPUT_HANDLE |
|
1 | ||
| OPEN | STD_OUTPUT_HANDLE |
|
1 | ||
| OPEN | STD_ERROR_HANDLE |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE | os_tid = 0xbd4, os_pid = 0xbd0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
| Operation | Address | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| ALLOC | 0x400000 | process_name = C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE, os_pid = 0xbd0, size = 24576, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE |
|
1 | |
| WRITE | 0x400000 | process_name = C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE, os_pid = 0xbd0, size = 512 |
|
1 | |
| WRITE | 0x401000 | process_name = C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE, os_pid = 0xbd0, size = 16384 |
|
1 | |
| WRITE | 0x405000 | process_name = C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE, os_pid = 0xbd0, size = 512 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESUME | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | os_tid = 0xbd4, os_pid = 0xbd0 |
|
1 | |
| GET_CONTEXT | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | os_tid = 0xbd4, os_pid = 0xbd0 |
|
1 | |
| SET_CONTEXT | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | os_tid = 0xbd4, os_pid = 0xbd0 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | kernel32 | base_address = 0x76530000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
11 | |
| GET_HANDLE | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | base_address = 0x400000 |
|
1999 | |
| GET_HANDLE | c:\windows\syswow64\ntdll.dll | base_address = 0x77b70000 |
|
1 | |
| UNMAP | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE | os_pid = 0xbd0, base_address = 0x400000 |
|
1 | |
| GET_FILENAME | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE |
|
2 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address = 0x76544f2b |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address = 0x76541252 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address = 0x76544208 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = FlsFree, address = 0x7654359f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address = 0x77bb0fcb |
|
8 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address = 0x77ba9d35 |
|
3 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceFrequency, address = 0x765441f0 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address = 0x76541725 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsBadCodePtr, address = 0x76562b34 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address = 0x77b8fc70 |
|
1 |
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CONTROL | control_code = 0x0 |
|
2800 |
| Information | Value |
|---|---|
| ID / OS PID | #19 / 0xbd0 |
| OS Parent PID | 0xb7c (c:\users\hjrd1k~1\appdata\roaming\convin~1.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe |
| Command Line | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:14, Reason: Terminated |
| Monitor Duration | 00:00:00 |
| OS Thread IDs |
#
56
0x BD4 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x00405fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x00410000 | 0x00476fff | Memory Mapped File | Readable |
|
|
|
|
| SortDefault.nls | 0x00480000 | 0x0074efff | Memory Mapped File | Readable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | 0xb80 | address = 0x400000, size = 512 |
|
1 | |
| Modify Memory | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | 0xb80 | address = 0x401000, size = 16384 |
|
1 | |
| Modify Memory | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | 0xb80 | address = 0x405000, size = 512 |
|
1 | |
| Modify Control Flow | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | 0xb80 | os_thread_id = 0xbd4 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\SysWOW64\explorer.exe | os_tid = 0xbdc, os_pid = 0xbd8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| OPEN_TOKEN | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION |
|
1 | |
| GET_INFO | C:\Windows\SysWOW64\explorer.exe | os_pid = 0xbd8 |
|
1 |
| Operation | Address | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| READ | 0x7efde008 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xbd8, size = 4 |
|
1 | |
| READ | 0xef0000 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xbd8, size = 1280 |
|
1 | |
| READ | 0xef0000 | process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xbd8, size = 2625536 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESUME | c:\windows\syswow64\explorer.exe | os_tid = 0xbdc, os_pid = 0xbd8 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | advapi32.dll | base_address = 0x76470000 |
|
1 | |
| CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 1638132, protection = PAGE_EXECUTE_READWRITE |
|
1 | ||
| MAP | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, address = 0x9e0000 |
|
1 | |
| MAP | C:\Windows\SysWOW64\explorer.exe | os_pid = 0xbd8, address = 0xef0000 |
|
1 | |
| UNMAP | C:\Windows\SysWOW64\explorer.exe | os_pid = 0xbd8, base_address = 0xef0000 |
|
1 | |
| GET_FILENAME | C:\Users\HJRD1K~1\AppData\Roaming\CONVIN~1.EXE |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #20 / 0xbd8 |
| OS Parent PID | 0xbd0 (c:\users\hjrd1k~1\appdata\roaming\convin~1.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\explorer.exe |
| Command Line | C:\Windows\SysWOW64\explorer.exe |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:01:17, Reason: Terminated |
| Monitor Duration | 00:00:03 |
| OS Thread IDs |
#
57
0x BDC
#
60
0x BF0 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000e0000 | 0x00146fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00183fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x00282fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000860000 | 0x00860000 | 0x00c52fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | Readable, Writable |
|
|
|
|
| explorer.exe | 0x00ef0000 | 0x01170fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x01170fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000001180000 | 0x01180000 | 0x0257ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| SortDefault.nls | 0x02580000 | 0x0284efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000010000000 | 0x10000000 | 0x10014fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ExplorerFrame.dll | 0x66f20000 | 0x6708efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| davhlpr.dll | 0x67220000 | 0x67227fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| davclnt.dll | 0x67230000 | 0x67246fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dui70.dll | 0x67250000 | 0x67301fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x67590000 | 0x675a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| duser.dll | 0x675b0000 | 0x675defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntlanman.dll | 0x675e0000 | 0x675f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| drprov.dll | 0x67600000 | 0x67607fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| powrprof.dll | 0x687e0000 | 0x68804fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x69200000 | 0x692f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x69480000 | 0x69487fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6f8a0000 | 0x6f8c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x6f8e0000 | 0x6f95ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| slc.dll | 0x70db0000 | 0x70db9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| GdiPlus.dll | 0x72c40000 | 0x72dcffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x72dd0000 | 0x72de2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75ad0000 | 0x75af6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x75be0000 | 0x75ddafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75f10000 | 0x7602cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76030000 | 0x7603bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x76200000 | 0x76211fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x763a0000 | 0x763d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76510000 | 0x76515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76640000 | 0x767dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x767e0000 | 0x768d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x77630000 | 0x77765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x77b40000 | 0x77b44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | 0xbd4 | address = 0xef0000, size = 2625536 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING |
|
1 | |
| CREATE | c:\windows\syswow64\ntdll.dll | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING |
|
1 | |
| READ | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe | size = 74752 |
|
1 | |
| DELETE | c:\users\hjrd1k~1\appdata\roaming\convin~1.exe |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | cmd.exe \c net stop MpsSvc | os_tid = 0xbe4, os_pid = 0xbe0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | cmd.exe \c sc config MpsSvc start= disabled | os_tid = 0xbec, os_pid = 0xbe8, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| CREATE | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome | os_tid = 0x830, os_pid = 0x834, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| OPEN_TOKEN | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION |
|
1 | |
| GET_INFO | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome | os_pid = 0x834 |
|
1 |
| Operation | Address | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| READ | 0x7efde008 | process_name = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome, os_pid = 0x834, size = 4 |
|
1 | |
| READ | 0xd30000 | process_name = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome, os_pid = 0x834, size = 1280 |
|
1 | |
| READ | 0xd30000 | process_name = "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome, os_pid = 0x834, size = 679936 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESUME | c:\program files (x86)\internet explorer\iexplore.exe | os_tid = 0x830, os_pid = 0x834 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | advapi32.dll | base_address = 0x76470000 |
|
1 | |
| LOAD | shell32.dll | base_address = 0x76970000 |
|
1 | |
| LOAD | user32.dll | base_address = 0x75e10000 |
|
1 | |
| LOAD | urlmon.dll | base_address = 0x77630000 |
|
1 | |
| LOAD | wininet.dll | base_address = 0x767e0000 |
|
1 | |
| LOAD | crypt32.dll | base_address = 0x75f10000 |
|
1 | |
| LOAD | mpr.dll | base_address = 0x67590000 |
|
1 | |
| LOAD | ole32.dll | base_address = 0x75880000 |
|
1 | |
| LOAD | ws2_32.dll | base_address = 0x763a0000 |
|
1 | |
| LOAD | psapi.dll | base_address = 0x77b40000 |
|
1 | |
| CREATE_MAPPING | module_name = kmkzdbqzhkjrnegx, maximum_size = 12765, protection = PAGE_READWRITE |
|
1 | ||
| CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 3013696, protection = PAGE_EXECUTE_READWRITE |
|
1 | ||
| MAP | c:\windows\syswow64\explorer.exe | os_pid = 0xbd8, module_name = kmkzdbqzhkjrnegx, desired_access = FILE_MAP_WRITE, FILE_MAP_READ, file_offset = 0, address = 0x280000 |
|
1 | |
| MAP | c:\users\hjrd1koky ds8lujv\appdata\roaming\convincingly.exe | os_pid = 0x9c4, address = 0xd80000 |
|
1 | |
| MAP | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome | os_pid = 0x834, address = 0xd30000 |
|
1 | |
| UNMAP | c:\windows\syswow64\explorer.exe | os_pid = 0xbd8, base_address = 0x280000 |
|
1 | |
| UNMAP | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome | os_pid = 0x834, base_address = 0xd30000 |
|
1 | |
| GET_FILENAME | C:\Windows\SysWOW64\explorer.exe |
|
1 | ||
| GET_FILENAME | C:\Windows\SysWOW64\ntdll.dll |
|
2 |
| Operation | Service | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_MGR | SERVICES_ACTIVE_DATABASE | host = Localhost, desired_access = GENERIC_READ |
|
1 | |
| ENUMERATE | SERVICES_ACTIVE_DATABASE |
|
1 | ||
| ENUMERATE | SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Windows |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Classes\http\shell\open\command |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Classes\http\shell\open\command |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Classes\http\shell\open\command |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Classes\http\shell\open\command | data_ident_out = 34 |
|
1 | |
| WRITE_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Windows | data = 0 |
|
1 |
| Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|
| SLEEP | duration = 512 milliseconds (0.512 seconds) |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #21 / 0xbe0 |
| OS Parent PID | 0xbd8 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c net stop MpsSvc |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Terminated |
| Monitor Duration | 00:00:16 |
| OS Thread IDs |
#
58
0x BE4 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001c80000 | 0x01c80000 | 0x01fc2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cmd.exe | 0x4a040000 | 0x4a08bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x67580000 | 0x67586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\system32\net.exe | os_tid = 0x84c, os_pid = 0x844, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0xbe0, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x4a040000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 50 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #22 / 0xbe8 |
| OS Parent PID | 0xbd8 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c sc config MpsSvc start= disabled |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:16, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
59
0x BEC |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e6fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x00747fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001ce0000 | 0x01ce0000 | 0x02022fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cmd.exe | 0x4a040000 | 0x4a08bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x67580000 | 0x67586fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
5 | ||
| OPEN | STD_INPUT_HANDLE |
|
3 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | C:\Windows\system32\sc.exe | os_tid = 0x848, os_pid = 0x854, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL |
|
1 | |
| SET_CURDIR | c:\windows\syswow64\cmd.exe | os_pid = 0xbe8, new_path_name = c:\windows\system32 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| GET_HANDLE | c:\windows\syswow64\cmd.exe | base_address = 0x4a040000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\kernel32.dll | base_address = 0x76530000 |
|
2 | |
| GET_FILENAME | C:\Windows\SysWOW64\cmd.exe |
|
1 | ||
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address = 0x7655a84f |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address = 0x76563b92 |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address = 0x76544a5d |
|
1 | |
| GET_PROC_ADDRESS | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address = 0x7655a79d |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_KEY | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| OPEN_KEY | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| OPEN_KEY | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data_ident_out = 64 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data_ident_out = 1 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data_ident_out = 0 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data_ident_out = 9 |
|
1 | |
| READ_VALUE | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data_ident_out = 9 |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #23 / 0x844 |
| OS Parent PID | 0xbe0 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\net.exe |
| Command Line | net stop MpsSvc |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Terminated |
| Monitor Duration | 00:00:16 |
| OS Thread IDs |
#
61
0x 84C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000e0000 | 0x00146fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| net.exe | 0x00270000 | 0x00287fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
|
| winnsi.dll | 0x671b0000 | 0x671b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| IPHLPAPI.DLL | 0x671c0000 | 0x671dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x671e0000 | 0x671eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samcli.dll | 0x671f0000 | 0x671fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| browcli.dll | 0x67200000 | 0x6720cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x67210000 | 0x67218fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x67590000 | 0x675a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x68600000 | 0x68618fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76510000 | 0x76515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID / OS PID | #24 / 0x854 |
| OS Parent PID | 0xbe8 (c:\windows\syswow64\cmd.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\sc.exe |
| Command Line | sc config MpsSvc start= disabled |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:01:16, Reason: Terminated |
| Monitor Duration | 00:00:01 |
| OS Thread IDs |
#
62
0x 848
#
63
0x 840 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00340000 | 0x003a6fff | Memory Mapped File | Readable |
|
|
|
|
| sc.exe | 0x00910000 | 0x0091bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
1 | ||
| WRITE | STD_OUTPUT_HANDLE | size = 34 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| GET_HANDLE | c:\windows\syswow64\sc.exe | base_address = 0x910000 |
|
1 |
| Operation | Service | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_MGR | SERVICES_ACTIVE_DATABASE | host = Localhost, desired_access = SC_MANAGER_CONNECT |
|
1 | |
| OPEN | MpsSvc | database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG |
|
1 | |
| GET_INFO | MpsSvc | type = SERVICE_CONFIG_DELAYED_AUTO_START_INFO |
|
1 | |
| SET_CONFIG | MpsSvc | new_service_type = SERVICE_NO_CHANGE, new_start_type = SERVICE_DISABLED |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #25 / 0x83c |
| OS Parent PID | 0x844 (c:\windows\syswow64\net.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\net1.exe |
| Command Line | C:\Windows\system32\net1 stop MpsSvc |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:31, Reason: Terminated |
| Monitor Duration | 00:00:15 |
| OS Thread IDs |
#
64
0x 838 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
|
| net1.exe | 0x00770000 | 0x00799fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netmsg.dll | 0x67060000 | 0x67061fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samlib.dll | 0x67130000 | 0x67141fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x67150000 | 0x67160fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| logoncli.dll | 0x67170000 | 0x67191fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dsrole.dll | 0x671a0000 | 0x671a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x671e0000 | 0x671eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| samcli.dll | 0x671f0000 | 0x671fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| browcli.dll | 0x67200000 | 0x6720cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x67210000 | 0x67218fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x68600000 | 0x68618fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x754c0000 | 0x754d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x763a0000 | 0x763d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76510000 | 0x76515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN | STD_OUTPUT_HANDLE |
|
1 | ||
| OPEN | STD_ERROR_HANDLE |
|
1 | ||
| WRITE | STD_OUTPUT_HANDLE | size = 40 |
|
1 | |
| WRITE | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| WRITE | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| WRITE | STD_OUTPUT_HANDLE | size = 56 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | NETMSG | base_address = 0x67060000 |
|
1 | |
| GET_HANDLE | c:\windows\syswow64\net1.exe | base_address = 0x770000 |
|
1 | |
| GET_FILENAME | C:\Windows\SysWOW64\net1.exe |
|
1 |
| Operation | Service | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| OPEN_MGR | SERVICES_ACTIVE_DATABASE | host = Localhost, desired_access = GENERIC_READ |
|
1 | |
| OPEN | MPSSVC | database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS |
|
1 | |
| GET_INFO | MPSSVC | type = Status |
|
1 | |
| GET_INFO | MPSSVC | type = DependentServices |
|
1 | |
| GET_DISPLAY_NAME | SERVICES_ACTIVE_DATABASE | service_name = MPSSVC, display_name_out = Windows Firewall |
|
2 | |
| GET_SERVICE_NAME | SERVICES_ACTIVE_DATABASE | display_name = MPSSVC, service_name_out = |
|
1 |
| Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|
| SLEEP | duration = 2500 milliseconds (2.500 seconds) |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #26 / 0x834 |
| OS Parent PID | 0xbd8 (c:\windows\syswow64\explorer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\program files (x86)\internet explorer\iexplore.exe |
| Command Line | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Terminated |
| Monitor Duration | 00:00:03 |
| OS Thread IDs |
#
65
0x 830
#
66
0x 82C |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| iexplore.exe.mui | 0x00060000 | 0x00061fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00100000 | 0x00166fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00184fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x00193fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | Readable |
|
|
|
|
| SortDefault.nls | 0x00960000 | 0x00c2efff | Memory Mapped File | Readable |
|
|
|
|
| iexplore.exe | 0x00d30000 | 0x00dd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00dd5fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x021dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x0230ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002330000 | 0x02330000 | 0x0233ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002390000 | 0x02390000 | 0x023cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x0251ffff | Private Memory | Readable, Writable |
|
|
|
|
| winnsi.dll | 0x671b0000 | 0x671b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| IPHLPAPI.DLL | 0x671c0000 | 0x671dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winrnr.dll | 0x67290000 | 0x67297fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x672a0000 | 0x672e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pnrpnsp.dll | 0x672f0000 | 0x67301fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x67590000 | 0x675a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| NapiNSP.dll | 0x675b0000 | 0x675bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| WSHTCPIP.DLL | 0x675c0000 | 0x675c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x675d0000 | 0x6760bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x685f0000 | 0x685f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x69410000 | 0x6941ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x75be0000 | 0x75ddafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x75f10000 | 0x7602cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x76030000 | 0x7603bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x763a0000 | 0x763d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76410000 | 0x76466fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76510000 | 0x76515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x767e0000 | 0x768d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x76970000 | 0x775b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x77630000 | 0x77765fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x77b40000 | 0x77b44fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | c:\windows\syswow64\explorer.exe | 0xbdc | address = 0xd30000, size = 679936 |
|
1 |
| Operation | Process Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| CREATE | vssadmin.exe delete shadows /all /quiet | show_window = SW_HIDE |
|
1 | |
| CREATE | bcdedit /set {default} recoveryenabled no | show_window = SW_HIDE |
|
1 | |
| CREATE | bcdedit /set {default} bootstatuspolicy ignoreallfailures | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| LOAD | advapi32.dll | base_address = 0x76470000 |
|
1 | |
| LOAD | shell32.dll | base_address = 0x76970000 |
|
1 | |
| LOAD | user32.dll | base_address = 0x75e10000 |
|
1 | |
| LOAD | urlmon.dll | base_address = 0x77630000 |
|
1 | |
| LOAD | wininet.dll | base_address = 0x767e0000 |
|
1 | |
| LOAD | crypt32.dll | base_address = 0x75f10000 |
|
1 | |
| LOAD | mpr.dll | base_address = 0x67590000 |
|
1 | |
| LOAD | ole32.dll | base_address = 0x75880000 |
|
1 | |
| LOAD | ws2_32.dll | base_address = 0x763a0000 |
|
1 | |
| LOAD | psapi.dll | base_address = 0x77b40000 |
|
1 | |
| CREATE_MAPPING | module_name = Nameless FileMapping, maximum_size = 86016, protection = PAGE_EXECUTE_READWRITE, SEC_COMMIT |
|
1 | ||
| MAP | c:\program files (x86)\internet explorer\iexplore.exe | os_pid = 0x834, desired_access = FILE_MAP_WRITE, FILE_MAP_READ, file_offset = 0, address = 0x90000 |
|
1 | |
| MAP | c:\program files (x86)\internet explorer\iexplore.exe | os_pid = 0x834, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x170000 |
|
1 | |
| GET_FILENAME | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
|
1 |
| Operation | Host | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| RESOLVE_NAME | foandrenla.com |
|
1 |
| Information | Value |
|---|---|
| ID / OS PID | #27 / 0x828 |
| OS Parent PID | 0x834 (c:\program files (x86)\internet explorer\iexplore.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\syswow64\vssadmin.exe |
| Command Line | vssadmin.exe delete shadows /all /quiet |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Terminated |
| Monitor Duration | 00:00:03 |
| OS Thread IDs |
#
67
0x 5D8
#
68
0x 68C
#
69
0x 274
#
70
0x 6B8
#
71
0x 8AC |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| vssadmin.exe.mui | 0x000f0000 | 0x000fcfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
|
| SortDefault.nls | 0x00980000 | 0x00c4efff | Memory Mapped File | Readable |
|
|
|
|
| vssadmin.exe | 0x00d50000 | 0x00d6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x0216ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| vssapi.dll | 0x67010000 | 0x67125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| atl.dll | 0x675f0000 | 0x67603fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vsstrace.dll | 0x685f0000 | 0x685fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| RpcRtRemote.dll | 0x693a0000 | 0x693adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x693b0000 | 0x693eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x693f0000 | 0x69405fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x75090000 | 0x750ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x750f0000 | 0x7512efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x75680000 | 0x75687fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x756c0000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x756d0000 | 0x7572ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x75730000 | 0x7581ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x75880000 | 0x759dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| KernelBase.dll | 0x759e0000 | 0x75a25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x75a30000 | 0x75accfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x75b00000 | 0x75b09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x75b10000 | 0x75bdbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x75e10000 | 0x75f0ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76040000 | 0x760ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x760f0000 | 0x76172fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x76220000 | 0x7627ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x76280000 | 0x7630ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x76470000 | 0x7650ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76530000 | 0x7663ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x768e0000 | 0x7696efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77610000 | 0x77628fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077770000 | 0x77770000 | 0x77869fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000077870000 | 0x77870000 | 0x7798efff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77990000 | 0x77b38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77b70000 | 0x77ceffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
