 Technical Details
|
|
|
| Analysis Number |
1 |
| Parent ID |
0 |
| Process ID |
196 |
| Filename |
c:\ldr.exe |
| Filesize |
28672 bytes
|
| MD5 |
67f88bf5ae4a4c64dbee3de00dc8fc0c |
| Start Reason |
AnalysisTarget |
| Termination Reason |
NormalTermination |
| Start Time |
00:00.360 |
| Stop Time |
00:05.344 |
| Detection |
OK
(ClamAV)
OK
(BDC/Linux-Console)
TR/Crypt.XPACK.Gen
(AntiVir Workstation)
|
| COM |
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
|
| DLL-Handling |
| Loaded DLLs |
|
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\Secur32.dll
kernel32.dll
kernel32
user32
shlwapi.dll
shell32.dll
advapi32.dll
comctl32.dll
wininet.dll
urlmon.dll
uxtheme.dll
netapi32
SHELL32.dll
ole32.dll
VERSION.dll
crypt32.dll
MSVCRT.DLL
C:\WINDOWS\system32\MFC42LOC.DLL
C:\WINDOWS\system32\wshDEU.DLL
wshDEU.DLL
C:\WINDOWS\system32\wshDE.DLL
|
|
| Filesystem |
| New Files |
C:\WINDOWS\9129837.exe
c:\abcdefg.bat
|
| Opened Files |
\\.\PIPE\lsarpc
\\.\PIPE\wkssvc
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\9129837.exe
c:\abcdefg.bat
|
| Deleted Files |
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ads.ethereal[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@adverserve[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@atdmt[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@casalemedia[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@chip.de.intellitxt[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@chip[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@de.msn[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@dmpi[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@doubleclick[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ebayobjects[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ebay[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@eloqua[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@globalscape[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@google[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@google[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ie.search.msn[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ip-adress[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ivwbox[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@komtrack[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@live[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@m.webtrends[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@mediaplex[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@metrixlab58.customers.luna[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@microsoft[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msn.co[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msnportal.112.2o7[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msn[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@mysql[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@php.sales.tfag[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@rad.msn[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@rtm[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@search.msn[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@serving-sys[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@statse.webtrendslive[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@tradedoubler[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.chip[1].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.myip[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.sitelauncher[2].txt
C:\Dokumente und Einstellungen\hanswurst\Cookies\index.dat
|
| Chronological order |
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Macromedia\\*.sol
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Macromedia\*.*
Find File: C:\Dokumente und Einstellungen\hanswurst\Cookies\\*.*
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ads.ethereal[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@adverserve[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@atdmt[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@casalemedia[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@chip.de.intellitxt[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@chip[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@de.msn[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@dmpi[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@doubleclick[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ebayobjects[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ebay[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@eloqua[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@globalscape[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@google[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@google[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ie.search.msn[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ip-adress[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@ivwbox[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@komtrack[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@live[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@m.webtrends[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@mediaplex[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@metrixlab58.customers.luna[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@microsoft[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msn.co[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msnportal.112.2o7[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@msn[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@mysql[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@php.sales.tfag[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@rad.msn[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@rtm[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@search.msn[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@serving-sys[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@statse.webtrendslive[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@tradedoubler[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.chip[1].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.myip[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\hanswurst@www.sitelauncher[2].txt
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\index.dat
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Copy File: c:\ldr.exe to C:\WINDOWS\9129837.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\9129837.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\hanswurst\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\9129837.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\9129837.exe ()
Find File: 9129837.exe
Create File: c:\abcdefg.bat
Get File Attributes: c:\abcdefg.bat Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\abcdefg.bat:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: c:\abcdefg.bat ()
Find File: abcdefg.bat
|
|
| INI Files |
| Read INI File |
|
C:\Dokumente und Einstellungen\hanswurst\Eigene Dateien\desktop.ini [DeleteOnCopy] Owner =
C:\Dokumente und Einstellungen\hanswurst\Eigene Dateien\desktop.ini [DeleteOnCopy.A] Owner =
C:\Dokumente und Einstellungen\hanswurst\Eigene Dateien\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Dokumente und Einstellungen\hanswurst\Eigene Dateien\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini [DeleteOnCopy] Owner =
C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini [.ShellClassInfo] LocalizedResourceName =
|
|
| Mutexes |
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-854245398-1425521274-839522115-1003MUTEX.DefaultS-1-5-21-85424539
|
| Registry |
| Changes |
HKEY_CURRENT_USER\Software\Microsoft\InetData "" = [REG_DWORD, value: 625C5191]
HKEY_CURRENT_USER\Software\Microsoft\InetData "" = [REG_DWORD, value: 447F8CDB]
HKEY_CURRENT_USER\Software\Microsoft\InetData "" = 951
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\9129837.exe
|
| Reads |
HKEY_CURRENT_USER\Software\Microsoft\InetData ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security ""
|
| Enums |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID
|
|
| Process Management |
Creates Process - Filename (C:\WINDOWS\9129837.exe) CommandLine: () As User: () Creation Flags: ()
Creates Process - Filename (c:\abcdefg.bat) CommandLine: ("c:\ldr.exe") As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (196) As User: () Creation Flags: ()
|
| Service Management |
Open Service Manager - Name: "SCM"
Open Service - Name: "SharedAccess"
Open Service - Name: "wscsvc"
Control Service - Name: (SharedAccess) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Change Service Configuration - Name: (SharedAccess) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (wscsvc) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
|
| System Info |
Get System Directory
Get Windows Directory
Get Computer Name
|
| Virtual Memory |
VM Protect - Target: (196) Address: ($7C81C000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (196) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7CAC4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7CAC4000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7CA11000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7CA11000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7CAD3000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7CAD3000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($77195000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($77195000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($771A5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($771A5000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7719F000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7719F000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7719E000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7719E000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (196) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
|
| Window |
Enum Windows
|
| Analysis Number |
2 |
| Parent ID |
0 |
| Process ID |
724 |
| Filename |
services.exe |
| Filesize |
-1 bytes
|
| MD5 |
|
| Start Reason |
SCM |
| Termination Reason |
Timeout |
| Start Time |
00:02.453 |
| Stop Time |
02:10.750 |
| Process Management |
Creates Process - Filename () CommandLine: ("C:\WINDOWS\system32\iisreset.exe" /fail=1) As User: () Creation Flags: (CREATE_NEW_CONSOLE,CREATE_SUSPENDED)
|
| Service Management |
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\new_drv) File Name: ()
|
|
The following process was started by process: 1 |
| Analysis Number |
3 |
| Parent ID |
1 |
| Process ID |
1584 |
| Filename |
C:\WINDOWS\9129837.exe |
| Filesize |
28672 bytes
|
| MD5 |
67f88bf5ae4a4c64dbee3de00dc8fc0c |
| Start Reason |
CreateProcess |
| Termination Reason |
Timeout |
| Start Time |
00:04.219 |
| Stop Time |
02:07.141 |
| Detection |
OK
(ClamAV)
OK
(BDC/Linux-Console)
TR/Crypt.XPACK.Gen
(AntiVir Workstation)
|
| DLL-Handling |
| Loaded DLLs |
|
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\Secur32.dll
kernel32.dll
kernel32
user32
shlwapi.dll
shell32.dll
advapi32.dll
comctl32.dll
wininet.dll
urlmon.dll
WS2_32.dll
uxtheme.dll
RASAPI32.DLL
RTUTILS.DLL
RASMAN.DLL
secur32.dll
pstorec.dll
crypt32.dll
C:\WINDOWS\system32\msv1_0.dll
SHELL32.dll
USERENV.dll
netapi32.dll
NETAPI32.dll
VERSION.dll
userenv.dll
|
|
| Filesystem |
| New Files |
\Device\Tcp
C:\WINDOWS\new_drv.sys
\\.\pipe\ie_down_pipe
\Device\Ip
\Device\Ip
\Device\Tcp6
|
| Opened Files |
\\.\PIPE\lsarpc
\\.\new_drv
\\.\PIPE\ROUTER
\\.\Ip
c:\autoexec.bat
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
|
| Deleted Files |
C:\Dokumente und Einstellungen\hanswurst\Cookies\index.dat
|
| Chronological order |
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Macromedia\\*.sol
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Macromedia\*.*
Find File: C:\Dokumente und Einstellungen\hanswurst\Cookies\\*.*
Delete File: C:\Dokumente und Einstellungen\hanswurst\Cookies\index.dat
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create File: C:\WINDOWS\new_drv.sys
Open File: \\.\new_drv (OPEN_EXISTING)
Create NamedPipe: \\.\pipe\ie_down_pipe
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk
Open File: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk (OPEN_EXISTING)
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates\*
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs\*
Find File: C:\Dokumente und Einstellungen\hanswurst\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs\*
Find File: C:\tan
Find File: C:\tan*.*
Find File: C:\TAN
Find File: C:\TAN*.*
|
|
| Mutexes |
Creates Mutex: ___RHaiuy72Mjtex
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-854245398-1425521274-839522115-1003
Creates Mutex: CTF.TimListCache.FMPDefaultS-1-5-21-854245398-1425521274-839522115-1003MUTEX.DefaultS-1-5-21-85424539
Creates Mutex: RasPbFile
|
| Registry |
| Changes |
HKEY_CURRENT_USER\Software\Microsoft\InetData "" = 951
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\9129837.exe
HKEY_CURRENT_USER\Software\Microsoft\InetData "" = [REG_BINARY, size: 19251 bytes]
|
| Reads |
HKEY_CURRENT_USER\Software\Microsoft\InetData ""
HKEY_CURRENT_USER\Software\Microsoft\InetData ""
HKEY_CURRENT_USER\Software\Microsoft\InetData ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""
HKEY_CURRENT_USER\Software\Microsoft\InetData ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography ""
|
| Enums |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
|
|
| Process Management |
Enum Processes
Open Process - Filename () Target PID: (4)
Open Process - Filename (C:\WINDOWS\System32\smss.exe) Target PID: (412)
Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (656)
Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (680)
Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (724)
Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (736)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (888)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1016)
Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1108)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1156)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1204)
Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1500)
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1768)
Open Process - Filename (C:\WINDOWS\system32\inetsrv\inetinfo.exe) Target PID: (1880)
Open Process - Filename (C:\WINDOWS\system32\ctfmon.exe) Target PID: (2004)
Open Process - Filename (C:\WINDOWS\System32\logon.scr) Target PID: (612)
Open Process - Filename () Target PID: (1164)
|
| Service Management |
Open Service Manager - Name: "SCM"
Open Service - Name: "SharedAccess"
Open Service - Name: "wscsvc"
Open Service - Name: "new_drv"
Open Service - Name: "RASMAN"
Create Service - Name: (new_drv) Display Name: (!!!!) File Name: (C:\WINDOWS\new_drv.sys) Control: () Start Type: (SERVICE_DEMAND_START)
Start Service - Name: (new_drv) Display Name: () File Name: () Control: () Start Type: ()
Control Service - Name: (SharedAccess) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Change Service Configuration - Name: (SharedAccess) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (wscsvc) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
|
| System |
Sleep - Milliseconds (3600000)
Sleep - Milliseconds (100)
Sleep - Milliseconds (0)
Sleep - Milliseconds (1200000)
|
| System Info |
Get System Directory
Get Windows Directory
Get Computer Name
|
| Threads |
Create Remote Thread - Target PID (412) Thread ID (796) Thread ID ($00300000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (656) Thread ID (424) Thread ID ($00F30000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (680) Thread ID (1720) Thread ID ($00A80000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (724) Thread ID (520) Thread ID ($00A10000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (736) Thread ID (1448) Thread ID ($00AE0000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (888) Thread ID (1592) Thread ID ($006B0000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1016) Thread ID (1828) Thread ID ($00790000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1108) Thread ID (1776) Thread ID ($00F10000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1156) Thread ID (248) Thread ID ($00800000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1204) Thread ID (420) Thread ID ($00940000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1500) Thread ID (1532) Thread ID ($00910000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1768) Thread ID (1320) Thread ID ($00F00000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (1880) Thread ID (1136) Thread ID ($008D0000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (2004) Thread ID (1980) Thread ID ($00950000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
Create Remote Thread - Target PID (612) Thread ID (1988) Thread ID ($007F0000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)
|
| User Management |
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
Impersonate User - Domain: () User: (hanswurst)
|
| Virtual Memory |
VM Allocate - Target: (4) Address: ($00040000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (4) Address: ($00170000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (4) Address: ($0026E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (412) Address: ($00300000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (412) Address: ($00310000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (412) Address: ($0040E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (656) Address: ($00F30000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (656) Address: ($01900000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (656) Address: ($019FE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (680) Address: ($00A80000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (680) Address: ($01B80000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (680) Address: ($01C7E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (724) Address: ($00A10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (724) Address: ($01020000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (724) Address: ($0111E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (736) Address: ($00AE0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (736) Address: ($00DC0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (736) Address: ($00EBE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (888) Address: ($006B0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (888) Address: ($00BC0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (888) Address: ($00CBE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1016) Address: ($00790000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1016) Address: ($00850000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1016) Address: ($0094E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1108) Address: ($00F10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1108) Address: ($02EC0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1108) Address: ($02FBE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1156) Address: ($00800000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1156) Address: ($00810000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1156) Address: ($0090E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1204) Address: ($00940000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1204) Address: ($009C0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1204) Address: ($00ABE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1500) Address: ($00910000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1500) Address: ($00DF0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1500) Address: ($00EEE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1768) Address: ($00F00000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1768) Address: ($025E0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1768) Address: ($026DE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1880) Address: ($008D0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1880) Address: ($00DB0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1880) Address: ($00EAE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (2004) Address: ($00950000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (2004) Address: ($00960000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (2004) Address: ($00A5E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (612) Address: ($007F0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (612) Address: ($008C0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (612) Address: ($009BE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (1584) Address: ($7C81C000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (1584) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7CAC4000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7CAC4000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7CA11000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7CA11000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7CA50000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7CAD3000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7CAD3000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($77195000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($77195000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($771A5000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($771A5000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7719F000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7719F000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($77193000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7719E000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7719E000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728B000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($7728A000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (4) Address: ($00040000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (4) Address: ($00040000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (4) Address: ($0026E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (412) Address: ($00300000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (412) Address: ($00300000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (412) Address: ($0040E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (656) Address: ($00F30000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (656) Address: ($00F30000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (656) Address: ($019FE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (680) Address: ($00A80000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (680) Address: ($00A80000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (680) Address: ($01C7E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (724) Address: ($00A10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (724) Address: ($00A10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (724) Address: ($0111E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (736) Address: ($00AE0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (736) Address: ($00AE0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (736) Address: ($00EBE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (888) Address: ($006B0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (888) Address: ($006B0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (888) Address: ($00CBE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1016) Address: ($00790000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1016) Address: ($00790000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1016) Address: ($0094E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1108) Address: ($00F10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1108) Address: ($00F10000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1108) Address: ($02FBE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1156) Address: ($00800000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1156) Address: ($00800000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1156) Address: ($0090E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1204) Address: ($00940000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1204) Address: ($00940000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1204) Address: ($00ABE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1500) Address: ($00910000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1500) Address: ($00910000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1500) Address: ($00EEE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1584) Address: ($597DF000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($597DF000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($597D8000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($597D8000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($59812000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59812000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1768) Address: ($00F00000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1768) Address: ($00F00000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1768) Address: ($026DE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1584) Address: ($597DF000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($597DF000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($59812000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59812000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($59807000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59807000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1880) Address: ($008D0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1880) Address: ($008D0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1880) Address: ($00EAE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($59804000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (1584) Address: ($597DA000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1584) Address: ($597DA000) Size: (4096) Protect: (PAGE_EXECUTE_READ)
VM Protect - Target: (2004) Address: ($00950000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2004) Address: ($00950000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (2004) Address: ($00A5E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Protect - Target: (612) Address: ($007F0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (612) Address: ($007F0000) Size: (20480) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (612) Address: ($009BE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Write - Target: (4) Address: ($00040000) Size: (17725)
VM Write - Target: (412) Address: ($00300000) Size: (17725)
VM Write - Target: (656) Address: ($00F30000) Size: (17725)
VM Write - Target: (680) Address: ($00A80000) Size: (17725)
VM Write - Target: (724) Address: ($00A10000) Size: (17725)
VM Write - Target: (736) Address: ($00AE0000) Size: (17725)
VM Write - Target: (888) Address: ($006B0000) Size: (17725)
VM Write - Target: (1016) Address: ($00790000) Size: (17725)
VM Write - Target: (1108) Address: ($00F10000) Size: (17725)
VM Write - Target: (1156) Address: ($00800000) Size: (17725)
VM Write - Target: (1204) Address: ($00940000) Size: (17725)
VM Write - Target: (1500) Address: ($00910000) Size: (17725)
VM Write - Target: (1768) Address: ($00F00000) Size: (17725)
VM Write - Target: (1880) Address: ($008D0000) Size: (17725)
VM Write - Target: (2004) Address: ($00950000) Size: (17725)
VM Write - Target: (612) Address: ($007F0000) Size: (17725)
|
| Window |
Enum Windows
|
| Network Activity |
| UDP Connections |
Remote IP Address: 127.0.0.1 Port: 1991
Send Datagram: packet(s) of size 1
Recv Datagram: packet(s) of size 1
|
Opened listening TCP connection on port: 22664
| Download URLs |
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=527620ee (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=527620ee (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=527620ee (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=527620ee (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/options.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=527620ee (81.95.147.107)
|
|
http://81.95.147.107/cgi-bin/cmd.cgi?user_id=1650217361&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=22664&version=124&crc=00000000 (81.95.147.107)
|
| Data posted to URLs |
|
http://81.95.147.107/cgi-bin/pstore.cgi (81.95.147.107)
|
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
Outgoing connection to remote server: 81.95.147.107 TCP port 80
|
|
The following process was started by process: 1 |
| Analysis Number |
4 |
| Parent ID |
1 |
| Process ID |
1164 |
| Filename |
c:\abcdefg.bat c:\ldr.exe |
| Filesize |
-1 bytes
|
| MD5 |
|
| Start Reason |
CreateProcess |
| Termination Reason |
NormalTermination |
| Start Time |
00:04.594 |
| Stop Time |
00:18.141 |
| Detection |
OK
(ClamAV)
OK
(BDC/Linux-Console)
OK
(AntiVir Workstation)
|
| DLL-Handling |
| Loaded DLLs |
|
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\Secur32.dll
ADVAPI32.dll
|
|
| Filesystem |
| Opened Files |
c:\abcdefg.bat
|
| Deleted Files |
c:\ldr.exe
c:\abcdefg.bat
|
| Chronological order |
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Get File Attributes: "c:\abcdefg.bat" Flags: (SECURITY_ANONYMOUS)
Find File: c:\abcdefg.bat
Open File: c:\abcdefg.bat (OPEN_EXISTING)
Get File Attributes: c:\ldr.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Find File: c:\ldr.exe
Delete File: c:\ldr.exe
Get File Attributes: c:\abcdefg.bat Flags: (SECURITY_ANONYMOUS)
Delete File: c:\abcdefg.bat
|
|
| Registry |
| Reads |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
|
|
| Process Management |
Kill Process - Filename () CommandLine: () Target PID: (1164) As User: () Creation Flags: ()
|
|
The following process was started by process: 3 |
| Analysis Number |
5 |
| Parent ID |
3 |
| Process ID |
412 |
| Filename |
|
| Filesize |
-1 bytes
|
| MD5 |
|
| Start Reason |
InjectedCode |
| Termination Reason |
Unknown |
| Start Time |
00:07.828 |
| Stop Time |
00:00.000 |
|
The following process was started by process: 3 |
| Analysis Number |
6 |
| Parent ID |
3 |
| Process ID |
656 |
| Filename |
\??\C:\WINDOWS\system32\csrss.exe |
| Filesize |
-1 bytes
|
| MD5 |
|
| Start Reason |
InjectedCode |
| Termination Reason |
Timeout |
