| Category | Started On | Completed On | Duration | Cuckoo Version |
|---|---|---|---|---|
| FILE | 2014-06-03 10:21:30 | 2014-06-03 10:22:53 | 83 seconds | 1.3-dev |
| Machine | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| egg1 | egg1 | VirtualBox | 2014-06-03 10:21:31 | 2014-06-03 10:22:50 |
File Details
| File name | ce51eaef8dab8d2f2c073456eca5adb6.bat |
|---|---|
| File size | 196 bytes |
| File type | ASCII text, with CRLF line terminators |
| CRC32 | D30BC7DB |
| MD5 | ce51eaef8dab8d2f2c073456eca5adb6 |
| SHA1 | b37e3c6c4bdd99b946924d0a844c08deb44a169b |
| SHA256 | 38c8dcde86be1122ae858a5bfa50d0d644b5a908d91210785b7f999c063a4871 |
| SHA512 | e9d02751264df744ee7511075e192f758bbff5566c97f3df71b0f7c21ede4cf5e52f7e0feab58bac58211f8c15c7dc7893049b3ab0109ee66e7ab9adb5d49d99 |
| Ssdeep | None |
| PEiD | None matched |
| Yara | None matched |
| VirusTotal | VirusTotal lookup disabled, add your API key to the module |
Signatures
Screenshots
Static Analysis
Dropped Files
Network Analysis
Hosts Involved
| IP Address |
|---|
| 8.8.8.8 |
DNS Requests
| Domain | IP Address |
|---|---|
| teredo.ipv6.microsoft.com | |
| dns.msftncsi.com | 131.107.255.255 |
Behavior Summary
Files
- C:\Users
- C:\Users\ADMINI~1
- C:\Users\ADMINI~1\AppData
- C:\Users\ADMINI~1\AppData\Local
- C:\Users\ADMINI~1\AppData\Local\Temp
- C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat
- C:\
- C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat\
- C:\Users\ADMINI~1\AppData\Local\Temp\
- C:\Users\ADMINI~1\AppData\Local\
- C:\Users\ADMINI~1\AppData\
- C:\Users\ADMINI~1\
- C:\Users\
- C:
- MountPointManager
- C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe
- C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.*
- C:\Windows\system32\cmd.exe
- c:\flag1.txt
- c:\Windows\flag2.txt
- c:\Users\Administrator\Documents\flag3.txt
- c:\Users\Administrator\AppData\Roaming\flag4.txt
Mutexes
Nothing to display.
Registry Keys
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500
- Software\Policies\Microsoft\Windows\System
- Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
- HKEY_USERS\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
Processes
registry filesystem process services network synchronization
cmd.exe PID: 1924, Parent PID: 1852
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:33,672 | 1928 | NtOpenDirectoryObject |
DirectoryHandle => 0x0000008c DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:33,688 | 1928 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x00000090 |
SUCCESS | 0x00000000 | |
| 10:21:33,703 | 1928 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:33,703 | 1928 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:33,703 | 1928 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x00000094 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:33,703 | 1928 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:33,703 | 1928 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x00000098 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 1 KeyHandle => 0x00000098 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000098 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 64 KeyHandle => 0x00000098 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 64 KeyHandle => 0x00000098 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x00000098 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 1 KeyHandle => 0x00000098 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 0 KeyHandle => 0x00000098 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 9 KeyHandle => 0x00000098 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 9 KeyHandle => 0x00000098 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
KeyHandle => 0x00000098 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x003ead10 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x003ead10 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x003ead10 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x003ead10 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x003ead10 | |
| 10:21:33,719 | 1928 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000098 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000009c ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a0 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x00000098 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a0 ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:33,719 | 1928 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat |
SUCCESS | 0x003ead10 | |
| 10:21:33,781 | 1928 | CreateProcessInternalW |
ApplicationName => C:\Windows\system32\cmd.exe ProcessId => 2240 CommandLine => C:\Windows\system32\cmd.exe /K "C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat" ThreadHandle => 0x000000a4 ProcessHandle => 0x000000a8 ThreadId => 2244 CreationFlags => 0x00080410 |
SUCCESS | 0x00000001 | |
| 10:21:33,781 | 1928 | NtResumeThread |
SuspendCount => 0 ThreadHandle => 0x000000a4 |
SUCCESS | 0x00000000 |
cmd.exe PID: 2240, Parent PID: 1924
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:34,266 | 2244 | NtOpenDirectoryObject |
DirectoryHandle => 0x00000090 DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:34,266 | 2244 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x00000094 |
SUCCESS | 0x00000000 | |
| 10:21:34,281 | 2244 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:34,281 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x00000098 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x0000009c ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 1 KeyHandle => 0x0000009c ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 0 KeyHandle => 0x0000009c ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 64 KeyHandle => 0x0000009c ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 64 KeyHandle => 0x0000009c ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x0000009c ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 1 KeyHandle => 0x0000009c ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 0 KeyHandle => 0x0000009c ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 9 KeyHandle => 0x0000009c ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 9 KeyHandle => 0x0000009c ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
KeyHandle => 0x0000009c ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:34,297 | 2244 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x0050ad78 | |
| 10:21:34,297 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x0050ad78 | |
| 10:21:34,297 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x0050ad78 | |
| 10:21:34,297 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x0050ad78 | |
| 10:21:34,297 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x0050ad78 | |
| 10:21:34,297 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x0000009c ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a0 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x0000009c ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:34,297 | 2244 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a4 ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | NtOpenFile |
ShareAccess => 0 FileName => C:\ DesiredAccess => 0x00100000 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => \x02\x00\x00\x00\\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,313 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat |
SUCCESS | 0x0050ad78 | |
| 10:21:34,328 | 2244 | LdrLoadDll |
Flags => 3798144 BaseAddress => 0x76d50000 FileName => ADVAPI32.dll |
SUCCESS | 0x00000000 | |
| 10:21:34,328 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferIdentifyLevel FunctionAddress => 0x76d72102 ModuleHandle => 0x76d50000 |
SUCCESS | 0x00000000 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 10:21:34,328 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000a8 ValueName => Levels |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 10:21:34,328 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000a8 ValueName => DefaultLevel |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 10:21:34,328 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000a8 ValueName => SaferFlags |
FAILURE | 0xc0000034 | |
| 10:21:34,328 | 2244 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
FAILURE | 0xc0000034 | 1 time |
| 10:21:34,344 | 2244 | NtOpenKey |
DesiredAccess => 131353 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Srp\\GP\ |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000a8 ValueName => RuleCount |
FAILURE | 0xc0000034 | |
| 10:21:34,344 | 2244 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000ac ValueName => PolicyScope |
FAILURE | 0xc0000034 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 1 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 2 times |
| 10:21:34,344 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => H :\x00H :\x00C :\x00\x00\x00\x00\x00\xa0 :\x00\x00\x00\x1a\x00\xac\xee9\x01\xd8\xed9\x00\xa0\x00\x00\x00\xac\xf59\x00\xcd\x1e\x81w\xf5\xe2\xf7\x00\xfe\xff\xff\xff\xa3<}w\xce<}w\xa8\x00\x00\x00\xb0\x00\x00\x00B :\x00@ :\x00\x90\xc1oe\xa8\x00\x00\x00&\xe0|w\xf8\xee9\x00F)\x12vD\x00\x00\x00\x01\x00\x00\x00\xe4\xee9\x00:\x9aQ\x008.\x1a\x00\x80\x14\x1a\x00\x01\x08\x00\x00\xf0\xd2P\x00\x00\x00O\x00\x08\x13Q\x00\xb6(\x12vD\x00\x00\x00\x1c\xef9\x00\x00\x00\x00\x00\x02\x00\x00\x00\xfc\xef9\x00\x01\x08\x00\x00\x00\x00O\x00\xf0\xd2P\x00\xfc\xef9\x00t<}w\xa3<}wi\xc5\xb2w\xa8\x00\x00\x00\x00\x00\x00\x00\x00\x00O\x00\xd87O\x00\x90\xc1oeH :\x00\xd87O\x00\x8c\xef9\x00\xc08O\x00\x03\x08\x00\x0b\x02\x00\x00\x00\x00\xef9\x00\xd87O\x006\x06\x00\x00\xf8\xd2P\x00\x88\xef9\x00\xff\x07\x00\x00 |
FAILURE | 0xc000000d | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\xf2\xd2P\x00\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x00\x94\x00\x96\x008\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x008\x9aQ\x00\x94\x00\x94\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x00000000 |
FAILURE | 0xc0000033 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 1 time |
| 10:21:34,344 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => \x00\x00O\x00\x01\x00\x00\x00\xe0\x9aQ\x00p\xef9\x00\x9e8}w8\x01O\x00z8}w\xe5\xc5\xb2w\x00\x00\x00\x00\x00\x00O\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00T\xef9\x00\x08\x00\x00\x08 \x06\x00\x00\xb0\xef9\x00\x18\xf7O\x00\x1d'leT\x00\x00\x00\xb9>oe\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x000<oe\x0c\xf09\x00\xe8\x9aQ\x00\xc4\x00O\x00\x90;oe\xa0\x06\x00\x00\x00\x00\x00\x003\x00\x00\xc0\x85\xdf|w\x00\x00\x00\x00\x88\xef9\x00\x1fb}w$b}w\x1d\xc5\xb2w\x00\x00\x00\x00\x85\xdf|w3\x00\x00\xc0`\xef9\x00 |
FAILURE | 0xc000000d | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x00J\x00L\x008\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x008\x9aQ\x00J\x00L\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 1 time |
| 10:21:34,344 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => \x00\x00O\x00\x01\x00\x00\x00\xe0\x9aQ\x00p\xef9\x00\x9e8}w8\x01O\x00z8}w\xe5\xc5\xb2w\x00\x00\x00\x00\x00\x00O\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00T\xef9\x00\x08\x00\x00\x08 \x06\x00\x00\xb0\xef9\x00\x18\xf7O\x00\x1d'leT\x00\x00\x00\xb9>oe\x01\x00\x00\x00\x00\x00\x00\x00\xd87O\x000<oe\x0c\xf09\x00\xe8\x9aQ\x00\xc4\x00O\x00\x90;oe\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x001\x00\x00D'\x01\x01\x90\xee9\x00\x01\x00\x00\x00\xac\xf59\x00\xcd\x1e\x81w\xd5\xe2\xf7\x00\xfe\xff\xff\xffz8}w |
FAILURE | 0xc000000d | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\xfe\xff\xff\xff\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\xa8\x00\x00\x00\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x00@\x00B\x008\x9aQ\x00T\x00\x00\x00x\x9aQ\x00\x01\x00\x00\x008\x9aQ\x00@\x00B\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 1 time |
| 10:21:34,344 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => \x00\x00O\x00\x01\x00\x00\x00\xe0\x9aQ\x00p\xef9\x00\x9e8}w8\x01O\x00z8}w\xe5\xc5\xb2w\x00\x00\x00\x00\x00\x00O\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00T\xef9\x00\x08\x00\x00\x08 \x06\x00\x00\xb0\xef9\x00\x18\xf7O\x00\x1d'leT\x00\x00\x00\xb9>oe\x01\x00\x00\x00\x00\x00\x00\x00\xd87O\x000<oe\x0c\xf09\x00\xe8\x9aQ\x00\xc4\x00O\x00\x90;oe\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x001\x00\x00D'\x01\x01\x90\xee9\x00\x01\x00\x00\x00\xac\xf59\x00\xcd\x1e\x81w\xd5\xe2\xf7\x00\xfe\xff\xff\xffz8}w |
FAILURE | 0xc000000d | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\xfe\xff\xff\xff\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\xa8\x00\x00\x00\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x004\x006\x008\x9aQ\x00L\x00\x00\x00l\x9aQ\x00\x01\x00\x00\x008\x9aQ\x004\x006\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1 DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 10:21:34,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,344 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1 DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 1 time |
| 10:21:34,344 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => \x00\x00O\x00\x01\x00\x00\x00\xe0\x9aQ\x00p\xef9\x00\x9e8}w8\x01O\x00z8}w\xe5\xc5\xb2w\x00\x00\x00\x00\x00\x00O\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00T\xef9\x00\x08\x00\x00\x08 \x06\x00\x00\xb0\xef9\x00\x18\xf7O\x00\x1d'leT\x00\x00\x00\xb9>oe\x01\x00\x00\x00\x00\x00\x00\x00\xd87O\x000<oe\x0c\xf09\x00\xe8\x9aQ\x00\xc4\x00O\x00\x90;oe\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x001\x00\x00D'\x01\x01\x90\xee9\x00\x01\x00\x00\x00\xac\xf59\x00\xcd\x1e\x81w\xd5\xe2\xf7\x00\xfe\xff\xff\xffz8}w |
FAILURE | 0xc000000d | |
| 10:21:34,344 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\xfe\xff\xff\xff\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\xa8\x00\x00\x00\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x00$\x00&\x008\x9aQ\x00A\x00\x00\x00\\x9aQ\x00\x01\x00\x00\x008\x9aQ\x00$\x00&\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,359 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users DesiredAccess => 0x00100080 FileHandle => 0x00000000 |
FAILURE | 0xc00000ba | |
| 10:21:34,359 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => |
FAILURE | 0xc0000024 | |
| 10:21:34,359 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C:\Users DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | 1 time |
| 10:21:34,359 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => \x00\x00O\x00\x01\x00\x00\x00\xe0\x9aQ\x00p\xef9\x00\x9e8}w8\x01O\x00z8}w\xe5\xc5\xb2w\x00\x00\x00\x00\x00\x00O\x00\xe8\x9aQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00T\xef9\x00\x08\x00\x00\x08 \x06\x00\x00\xb0\xef9\x00\x18\xf7O\x00\x1d'leT\x00\x00\x00\xb9>oe\x01\x00\x00\x00\x00\x00\x00\x00\xd87O\x000<oe\x0c\xf09\x00\xe8\x9aQ\x00\xc4\x00O\x00\x90;oe\xa0\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x001\x00\x00D'\x01\x01\x90\xee9\x00\x01\x00\x00\x00\xac\xf59\x00\xcd\x1e\x81w\xd5\xe2\xf7\x00\xfe\xff\xff\xffz8}w |
FAILURE | 0xc000000d | |
| 10:21:34,359 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xa3<}w\x01\x00\x00\x00\xe8\x9aQ\x00\x00\x00\x00\x00\xfe\xff\xff\xff\x01\x00\x00\x00|\xf09\x00~\x06\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00 \x02\xff\xff\xff\xff\x00 \x00\x008\x9aQ\x00\x00\x00\x00\x008\x9aQ\x00\xc0\xf09\x00T\x00\x00\x00\x02\x00\x00\x00\xa8\x00\x00\x00\x01\x00\x00\x00@\x86\xe6I|\xf09\x00\xac\x9e\x17w@\x86\xe6I\xa8\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xbf\xf4\x13\xdb\xec\xf09\x00\xea\x08\x1fw8\x9aQ\x00\xf8\xd2P\x00\x00 \x00\x00\xc0\xf09\x008\xf19\x00\x08\x02\x00\x00@\x86\xe6I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00H\xf19\x00\x12\x00\x14\x008\x9aQ\x00A\x00\x00\x00J\x9aQ\x00\x01\x00\x00\x008\x9aQ\x00\x12\x00\x14\x008\x9aQ\x00\xf8\xd2P\x00\x02\x00\x00\x00P\xf39\x00P\xf19\x00\\x00?\x00?\x00\\x00/\xf4\x13\xdb\x04\xf19\x00\x10\x07\x1fw\x00\x00\x00\x00@\x86\xe6I |
FAILURE | 0xc0000024 | |
| 10:21:34,359 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtOpenFile |
ShareAccess => 3 FileName => C: DesiredAccess => 0x00100080 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtDeviceIoControlFile |
InputBuffer => FileHandle => 0x000000a8 OutputBuffer => .\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x002\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtQueryInformationFile |
FileHandle => 0xffffffff FileInformation => \xd5\xe2\xf7\x00\x00\x00\x00\x008\x9bQ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x80\xf09\x00\xa3\x04\x1fw\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x008\x9aQ\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00l\xee9\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\xd2P\x000\x00\x00\x00\x10\x9dQ\x00\xa8\x00\x00\x00.\x000\x00\x18\xf7O\x00.\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x002\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00T\xef9\x00\xe1\xaa}w\xc4\x00O\x00\xd87O\x00\xd4\x01\x1aw\x00\x00O\x00P\x01O\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd87O\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x06\x00\x00\x00\x00\x00\x00 |
FAILURE | 0xc0000024 | |
| 10:21:34,359 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => MountPointManager DesiredAccess => 0x00100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtDeviceIoControlFile |
InputBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00.\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x002\x00 FileHandle => 0x000000a8 OutputBuffer => \xee\x00\x00\x00\x02\x00\x00\x00 |
FAILURE | 0x80000005 | |
| 10:21:34,359 | 2244 | NtDeviceIoControlFile |
InputBuffer => \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00.\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x002\x00 FileHandle => 0x000000a8 OutputBuffer => \xee\x00\x00\x00\x02\x00\x00\x00r\x00\x00\x00\x1c\x00\x00\x008\x00\x00\x00\x0c\x00\x00\x00D\x00\x00\x00.\x00v\x00\x8e\x00\x00\x00`\x00\\x008\x00\x00\x00\x0c\x00d\x00D\x00\x00\x00.\x00k\x00\xde!XU\x00\x00\xd0\x12\x00\x00\x00\x00\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x002\x00\\x00D\x00o\x00s\x00D\x00e\x00v\x00i\x00c\x00e\x00s\x00\\x00C\x00:\x00\\x00?\x00?\x00\\x00V\x00o\x00l\x00u\x00m\x00e\x00{\x00f\x000\x008\x00d\x000\x002\x00c\x00c\x00-\x00e\x009\x001\x005\x00-\x001\x001\x00e\x003\x00-\x00a\x001\x00a\x00c\x00-\x008\x000\x006\x00e\x006\x00f\x006\x00e\x006\x009\x006\x003\x00}\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x8e\x00\x00\x00\\x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00D\x00M\x00I\x00N\x00I\x00~\x001\x00\\x00A\x00p\x00p\x00D\x00a\x00t\x00a\x00\\x00L\x00o\x00c\x00a\x00l\x00\\x00T\x00e\x00m\x00p\x00\\x00c\x00e\x005\x001\x00e\x00a\x00e\x00f\x008\x00d\x00a\x00b\x008\x00d\x002\x00f\x002\x00c\x000\x007\x003\x004\x005\x006\x00e\x00c\x00a\x005\x00a\x00d\x00b\x006\x00.\x00b\x00a\x00t\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x004ff718 | |
| 10:21:34,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x004ff718 | |
| 10:21:34,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x004ff718 | |
| 10:21:34,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x004ff718 | |
| 10:21:34,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x004ff718 | |
| 10:21:34,359 | 2244 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtQueryValueKey |
KeyHandle => 0x000000ac ValueName => LogFileName |
FAILURE | 0xc0000034 | |
| 10:21:34,359 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferComputeTokenFromLevel FunctionAddress => 0x76d73352 ModuleHandle => 0x76d50000 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtOpenKey |
DesiredAccess => 3 KeyHandle => 0x00000000 ObjectAttributes => \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option |
FAILURE | 0xc0000034 | |
| 10:21:34,359 | 2244 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SaferCloseLevel FunctionAddress => 0x76d73825 ModuleHandle => 0x76d50000 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x00\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,359 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtReadFile |
Buffer => cmd.exe /c type c:\flag1.txt
cmd.exe /c type c:\Windows\flag2.txt
cmd.exe /c type c:\Users\Administrator\Documents\flag3.txt
cmd.exe /c type c:\Users\Administrator\AppData\Roaming\flag4.txt
FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x1e\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x1e\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,375 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:34,375 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => C:\Users\ADMINI~1\AppData\Local\Temp> |
SUCCESS | 0x00000001 | |
| 10:21:34,375 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => cmd.exe |
SUCCESS | 0x00000001 | |
| 10:21:34,375 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => /c type c:\flag1.txt |
SUCCESS | 0x00000001 | |
| 10:21:34,375 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x00519e80 | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,375 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051a428 | |
| 10:21:34,516 | 2244 | CreateProcessInternalW |
ApplicationName => C:\Windows\system32\cmd.exe ProcessId => 2280 CommandLine => cmd.exe /c type c:\flag1.txt ThreadHandle => 0x000000ac ProcessHandle => 0x000000a8 ThreadId => 2284 CreationFlags => 0x00080000 |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x00529000 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x00523000 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0051a000 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00001000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => \x1e\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtReadFile |
Buffer => cmd.exe /c type c:\Windows\flag2.txt
cmd.exe /c type c:\Users\Administrator\Documents\flag3.txt
cmd.exe /c type c:\Users\Administrator\AppData\Roaming\flag4.txt
FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => D\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => D\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,922 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => C:\Users\ADMINI~1\AppData\Local\Temp> |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => cmd.exe |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => /c type c:\Windows\flag2.txt |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:34,922 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:34,984 | 2244 | CreateProcessInternalW |
ApplicationName => C:\Windows\system32\cmd.exe ProcessId => 2304 CommandLine => cmd.exe /c type c:\Windows\flag2.txt ThreadHandle => 0x000000a8 ProcessHandle => 0x000000ac ThreadId => 2308 CreationFlags => 0x00080000 |
SUCCESS | 0x00000001 | |
| 10:21:35,344 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0051f000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00001000 BaseAddress => 0x00533000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => D\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtReadFile |
Buffer => cmd.exe /c type c:\Users\Administrator\Documents\flag3.txt
cmd.exe /c type c:\Users\Administrator\AppData\Roaming\flag4.txt
FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x80\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00006000 BaseAddress => 0x0051f000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x00533000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x00529000 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \x80\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,344 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:35,344 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => C:\Users\ADMINI~1\AppData\Local\Temp> |
SUCCESS | 0x00000001 | |
| 10:21:35,344 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => cmd.exe |
SUCCESS | 0x00000001 | |
| 10:21:35,359 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => /c type c:\Users\Administrator\Documents\flag3.txt |
SUCCESS | 0x00000001 | |
| 10:21:35,359 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,359 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:35,406 | 2244 | CreateProcessInternalW |
ApplicationName => C:\Windows\system32\cmd.exe ProcessId => 2328 CommandLine => cmd.exe /c type c:\Users\Administrator\Documents\flag3.txt ThreadHandle => 0x000000ac ProcessHandle => 0x000000a8 ThreadId => 2332 CreationFlags => 0x00080000 |
SUCCESS | 0x00000001 | |
| 10:21:35,531 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00004000 BaseAddress => 0x00529000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x00533000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x0052e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x0051a000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x00526000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x00520000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00001000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => \x80\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtReadFile |
Buffer => cmd.exe /c type c:\Users\Administrator\AppData\Roaming\flag4.txt
FileHandle => 0x000000a8 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => \xc2\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,531 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,547 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000a8 FileInformation => \xc2\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,547 | 2244 | NtSetInformationFile |
FileHandle => 0x000000a8 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,547 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:35,547 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => C:\Users\ADMINI~1\AppData\Local\Temp> |
SUCCESS | 0x00000001 | |
| 10:21:35,547 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => cmd.exe |
SUCCESS | 0x00000001 | |
| 10:21:35,547 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => /c type c:\Users\Administrator\AppData\Roaming\flag4.txt |
SUCCESS | 0x00000001 | |
| 10:21:35,547 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => |
SUCCESS | 0x00000001 | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe.* |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp\cmd.exe |
SUCCESS | 0xffffffff | |
| 10:21:35,547 | 2244 | FindFirstFileExW |
FileName => C:\Windows\system32\cmd.exe |
SUCCESS | 0x0051ed40 | |
| 10:21:35,578 | 2244 | CreateProcessInternalW |
ApplicationName => C:\Windows\system32\cmd.exe ProcessId => 2352 CommandLine => cmd.exe /c type c:\Users\Administrator\AppData\Roaming\flag4.txt ThreadHandle => 0x000000a8 ProcessHandle => 0x000000ac ThreadId => 2356 CreationFlags => 0x00080000 |
SUCCESS | 0x00000001 | |
| 10:21:35,719 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc2\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtReadFile |
Buffer =>
FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc4\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0051f000 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x00529000 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00002000 BaseAddress => 0x0051b000 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00001000 BaseAddress => 0x00535000 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc4\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtCreateFile |
ShareAccess => 3 FileName => C:\Users\ADMINI~1\AppData\Local\Temp\ce51eaef8dab8d2f2c073456eca5adb6.bat DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000ac |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc4\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtReadFile |
Buffer => FileHandle => 0x000000ac |
FAILURE | 0xc0000011 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc8\x00\x00\x00\x00\x00\x00\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc4\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtReadFile |
Buffer => FileHandle => 0x000000ac |
FAILURE | 0xc0000011 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc8\x00\x00\x00\x00\x00\x00\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtQueryInformationFile |
FileHandle => 0x000000ac FileInformation => \xc4\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,719 | 2244 | NtSetInformationFile |
FileHandle => 0x000000ac FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,734 | 2244 | NtOpenKey |
DesiredAccess => 1 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR |
SUCCESS | 0x00000000 | |
| 10:21:35,734 | 2244 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000ac ValueName => Disable Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,734 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x00516000 |
SUCCESS | 0x00000000 | |
| 10:21:35,734 | 2244 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00003000 BaseAddress => 0x0050e000 |
SUCCESS | 0x00000000 | |
| 10:21:35,734 | 2244 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => C:\Users\ADMINI~1\AppData\Local\Temp> |
SUCCESS | 0x00000001 |
cmd.exe PID: 2280, Parent PID: 2240
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:34,875 | 2284 | NtOpenDirectoryObject |
DirectoryHandle => 0x00000098 DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:34,875 | 2284 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x0000009c |
SUCCESS | 0x00000000 | |
| 10:21:34,875 | 2284 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:34,875 | 2284 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,875 | 2284 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x000000a0 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x0078ac88 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x0078ac88 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x0078ac88 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x0078ac88 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x0078ac88 | |
| 10:21:34,891 | 2284 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a4 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000ac ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | FindFirstFileExW |
FileName => c:\flag1.txt |
SUCCESS | 0x0078bf60 | |
| 10:21:34,891 | 2284 | NtCreateFile |
ShareAccess => 3 FileName => c:\flag1.txt DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x18\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtReadFile |
Buffer => "HITB{397a2be"
FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => "HITB{397a2be" |
SUCCESS | 0x00000001 | |
| 10:21:34,891 | 2284 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x11\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:34,891 | 2284 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000000b0 FileInformation => |
FAILURE | 0x80000006 | |
| 10:21:34,891 | 2284 | LdrGetDllHandle |
ModuleHandle => 0x00000017 FileName => mscoree.dll |
FAILURE | 0xc0000135 | 1 time |
| 10:21:34,891 | 2284 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |
cmd.exe PID: 2304, Parent PID: 2240
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:35,280 | 2308 | NtOpenDirectoryObject |
DirectoryHandle => 0x00000098 DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:35,296 | 2308 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x0000009c |
SUCCESS | 0x00000000 | |
| 10:21:35,296 | 2308 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,296 | 2308 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,296 | 2308 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x000000a0 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:35,296 | 2308 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:35,296 | 2308 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x003dad20 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x003dad20 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x003dad20 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x003dad20 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x003dad20 | |
| 10:21:35,312 | 2308 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a4 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000ac ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | FindFirstFileExW |
FileName => c:\Windows\flag2.txt |
SUCCESS | 0x003dc010 | |
| 10:21:35,312 | 2308 | NtCreateFile |
ShareAccess => 3 FileName => c:\Windows\flag2.txt DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x10\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,312 | 2308 | NtReadFile |
Buffer => "567dcc8e4ea"
FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:35,327 | 2308 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => "567dcc8e4ea" |
SUCCESS | 0x00000001 | |
| 10:21:35,327 | 2308 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x10\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,327 | 2308 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,327 | 2308 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000000b0 FileInformation => |
FAILURE | 0x80000006 | |
| 10:21:35,327 | 2308 | LdrGetDllHandle |
ModuleHandle => 0x00000017 FileName => mscoree.dll |
FAILURE | 0xc0000135 | 1 time |
| 10:21:35,327 | 2308 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |
cmd.exe PID: 2328, Parent PID: 2240
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:35,499 | 2332 | NtOpenDirectoryObject |
DirectoryHandle => 0x00000098 DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x0000009c |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x000000a0 ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a4 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a4 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a4 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a4 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,499 | 2332 | NtQueryValueKey |
KeyHandle => 0x000000a4 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,499 | 2332 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x004a1d48 | |
| 10:21:35,499 | 2332 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x004a1d48 | |
| 10:21:35,499 | 2332 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x004a1d48 | |
| 10:21:35,515 | 2332 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x004a1d48 | |
| 10:21:35,515 | 2332 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x004a1d48 | |
| 10:21:35,515 | 2332 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000ac ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a4 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000ac ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | FindFirstFileExW |
FileName => c:\Users\Administrator\Documents\flag3.txt |
SUCCESS | 0x004aad68 | |
| 10:21:35,515 | 2332 | NtCreateFile |
ShareAccess => 3 FileName => c:\Users\Administrator\Documents\flag3.txt DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x10\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtReadFile |
Buffer => "f6403f98"
FileHandle => 0x000000b4 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => "f6403f98" |
SUCCESS | 0x00000001 | |
| 10:21:35,515 | 2332 | NtQueryInformationFile |
FileHandle => 0x000000b4 FileInformation => \x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtSetInformationFile |
FileHandle => 0x000000b4 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,515 | 2332 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000000b0 FileInformation => |
FAILURE | 0x80000006 | |
| 10:21:35,515 | 2332 | LdrGetDllHandle |
ModuleHandle => 0x00000017 FileName => mscoree.dll |
FAILURE | 0xc0000135 | 1 time |
| 10:21:35,515 | 2332 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |
cmd.exe PID: 2352, Parent PID: 2240
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 10:21:35,672 | 2356 | NtOpenDirectoryObject |
DirectoryHandle => 0x00000094 DesiredAccess => 15 ObjectAttributes => C:\Sessions\1\BaseNamedObjects |
SUCCESS | 0x00000000 | |
| 10:21:35,672 | 2356 | NtOpenThread |
DesiredAccess => 2097151 ObjectAttributes => ThreadHandle => 0x00000098 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadUILanguage FunctionAddress => 0x771fa84f ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtOpenKey |
DesiredAccess => 33554432 KeyHandle => 0x0000009c ObjectAttributes => \REGISTRY\USER\S-1-5-21-1759130447-358110555-3069562910-500 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtOpenKeyEx |
DesiredAccess => 131097 KeyHandle => 0x00000000 ObjectAttributes => Software\Policies\Microsoft\Windows\System |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a0 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a0 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a0 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a0 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 64 KeyHandle => 0x000000a0 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtOpenKeyEx |
DesiredAccess => 33554432 KeyHandle => 0x000000a0 ObjectAttributes => Software\Microsoft\Command Processor |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => DisableUNCCheck |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 1 KeyHandle => 0x000000a0 ValueName => EnableExtensions Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => DelayedExpansion |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 0 KeyHandle => 0x000000a0 ValueName => DefaultColor Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a0 ValueName => CompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 9 KeyHandle => 0x000000a0 ValueName => PathCompletionChar Type => 4 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
KeyHandle => 0x000000a0 ValueName => AutoRun |
FAILURE | 0xc0000034 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => C:\Users |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1 |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => C:\Users\ADMINI~1\AppData\Local\Temp |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a0 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a4 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtOpenKey |
DesiredAccess => 131097 KeyHandle => 0x000000a8 ObjectAttributes => \Registry\Machine\System\CurrentControlSet\Control\Nls\Language Groups |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a0 ValueName => 00000409 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryValueKey |
Information => 1\x00\x00\x00 KeyHandle => 0x000000a8 ValueName => 1 Type => 1 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetDllHandle |
ModuleHandle => 0x771d0000 FileName => KERNEL32.DLL |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileExW FunctionAddress => 0x77203b92 ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsDebuggerPresent FunctionAddress => 0x771e4a5d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetConsoleInputExeNameW FunctionAddress => 0x771fa79d ModuleHandle => 0x771d0000 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | FindFirstFileExW |
FileName => c:\Users\Administrator\AppData\Roaming\flag4.txt |
SUCCESS | 0x0062adb8 | |
| 10:21:35,688 | 2356 | NtCreateFile |
ShareAccess => 3 FileName => c:\Users\Administrator\AppData\Roaming\flag4.txt DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x000000b0 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtQueryInformationFile |
FileHandle => 0x000000b0 FileInformation => \x10\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtSetInformationFile |
FileHandle => 0x000000b0 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,688 | 2356 | NtReadFile |
Buffer => "b1cf29}"
FileHandle => 0x000000b0 |
SUCCESS | 0x00000000 | |
| 10:21:35,703 | 2356 | WriteConsoleW |
ConsoleHandle => 0x00000007 Buffer => "b1cf29}" |
SUCCESS | 0x00000001 | |
| 10:21:35,703 | 2356 | NtQueryInformationFile |
FileHandle => 0x000000b0 FileInformation => \x0c\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 10:21:35,703 | 2356 | NtSetInformationFile |
FileHandle => 0x000000b0 FileInformation => |
SUCCESS | 0x00000000 | |
| 10:21:35,703 | 2356 | NtQueryDirectoryFile |
FileName => FileHandle => 0x000000ac FileInformation => |
FAILURE | 0x80000006 | |
| 10:21:35,703 | 2356 | LdrGetDllHandle |
ModuleHandle => 0x00000017 FileName => mscoree.dll |
FAILURE | 0xc0000135 | 1 time |
| 10:21:35,703 | 2356 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |