{ "info": { "added": 1613475151.141135, "started": 1613475151.472526, "duration": 21, "ended": 1613475173.459486, "owner": null, "score": 0.6, "id": 5, "category": "file", "git": { "head": "13cbe0d9e457be3673304533043e992ead1ea9b2", "fetch_head": "13cbe0d9e457be3673304533043e992ead1ea9b2" }, "monitor": "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b", "package": "", "route": "none", "custom": null, "machine": { "status": "stopped", "name": "cuckoo1", "label": "win7cuckoo", "manager": "VirtualBox", "started_on": "2021-02-16 11:32:31", "shutdown_on": "2021-02-16 11:32:53" }, "platform": null, "version": "2.0.7", "options": "procmemdump=yes,route=none" }, "procmemory": [ { "regions": [ { "protect": "rw", "end": "0x00030000", "addr": "0x00010000", "state": 4096, "offset": 24, "type": 131072, "size": 131072 }, { "protect": "rw", "end": "0x00032000", "addr": "0x00030000", "state": 4096, "offset": 131120, "type": 131072, "size": 8192 }, { "protect": "r", "end": "0x00041000", "addr": "0x00040000", "state": 4096, "offset": 139336, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x00054000", "addr": "0x00050000", "state": 4096, "offset": 143456, "type": 262144, "size": 16384 }, { "protect": "r", "end": "0x00063000", "addr": "0x00060000", "state": 4096, "offset": 159864, "type": 262144, "size": 12288 }, { "protect": "rw", "end": "0x00071000", "addr": "0x00070000", "state": 4096, "offset": 172176, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x00081000", "addr": "0x00080000", "state": 4096, "offset": 176296, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x00091000", "addr": "0x00090000", "state": 4096, "offset": 180416, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x000a1000", "addr": "0x000a0000", "state": 4096, "offset": 184536, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x000b1000", "addr": "0x000b0000", "state": 4096, "offset": 188656, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x00141000", "addr": "0x00140000", "state": 4096, "offset": 192776, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x01587000", "addr": "0x00141000", "state": 4096, "offset": 196896, "type": 16777216, "size": 21258240 }, { "protect": "r", "end": "0x019a1000", "addr": "0x01587000", "state": 4096, "offset": 21455160, "type": 16777216, "size": 4300800 }, { "protect": "rwc", "end": "0x01afe000", "addr": "0x019a1000", "state": 4096, "offset": 25755984, "type": 16777216, "size": 1429504 }, { "protect": "r", "end": "0x01e9f000", "addr": "0x01afe000", "state": 4096, "offset": 27185512, "type": 16777216, "size": 3805184 }, { "protect": "rw", "end": "0x01f30000", "addr": "0x01f2c000", "state": 4096, "offset": 30990720, "type": 131072, "size": 16384 }, { "protect": "rw", "end": "0x02170000", "addr": "0x0216f000", "state": 4096, "offset": 31007128, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x77521000", "addr": "0x77520000", "state": 4096, "offset": 31011248, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7761e000", "addr": "0x77521000", "state": 4096, "offset": 31015368, "type": 16777216, "size": 1036288 }, { "protect": "r", "end": "0x7764d000", "addr": "0x7761e000", "state": 4096, "offset": 32051680, "type": 16777216, "size": 192512 }, { "protect": "rwc", "end": "0x77657000", "addr": "0x7764d000", "state": 4096, "offset": 32244216, "type": 16777216, "size": 40960 }, { "protect": "rw", "end": "0x77658000", "addr": "0x77657000", "state": 4096, "offset": 32285200, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x7765b000", "addr": "0x77658000", "state": 4096, "offset": 32289320, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x776ca000", "addr": "0x7765b000", "state": 4096, "offset": 32301632, "type": 16777216, "size": 454656 }, { "protect": "r", "end": "0x77701000", "addr": "0x77700000", "state": 4096, "offset": 32756312, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x777e6000", "addr": "0x77710000", "state": 4096, "offset": 32760432, "type": 16777216, "size": 876544 }, { "protect": "rx", "end": "0x777f1000", "addr": "0x777f0000", "state": 4096, "offset": 33637000, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x77807000", "addr": "0x77800000", "state": 4096, "offset": 33641120, "type": 16777216, "size": 28672 }, { "protect": "rw", "end": "0x77808000", "addr": "0x77807000", "state": 4096, "offset": 33669816, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x7780a000", "addr": "0x77808000", "state": 4096, "offset": 33673936, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x7786b000", "addr": "0x77810000", "state": 4096, "offset": 33682152, "type": 16777216, "size": 372736 }, { "protect": "r", "end": "0x77875000", "addr": "0x77870000", "state": 4096, "offset": 34054912, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x7ffe1000", "addr": "0x7ffe0000", "state": 4096, "offset": 34075416, "type": 131072, "size": 4096 } ], "yara": [], "num": 1, "file": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-1.dmp", "urls": [ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings", "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date", "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2", "https://portal.office.com/" ], "extracted": [ { "yara": [ { "meta": { "description": "(no description)" }, "name": "loki", "offsets": { "var1": [ [ 91, 0 ], [ 22964266, 0 ], [ 23078871, 0 ], [ 23079025, 0 ], [ 23148175, 0 ], [ 23150376, 0 ], [ 23380927, 0 ], [ 23381060, 0 ], [ 23381406, 0 ], [ 23381484, 0 ], [ 23384532, 0 ], [ 23518731, 0 ], [ 23519668, 0 ], [ 23522789, 0 ], [ 23522811, 0 ], [ 23529820, 0 ], [ 23533114, 0 ], [ 23537053, 0 ], [ 23572944, 0 ], [ 23820720, 0 ], [ 23831865, 0 ], [ 23831889, 0 ], [ 23849301, 0 ] ] }, "strings": [ "Y2Fubm90" ] } ], "sha1": "35864479850d3c6d4a16cc44541370f8597f24ba", "name": "2852-35864479850d3c6d.exe_", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "sha256": "a15303d4c00d0c8c5a14787c675e9d79992fbce8535a5d3ec6763c27c0aaf99d", "urls": [ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings", "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date", "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2", "https://portal.office.com/" ], "crc32": "1B979CB8", "path": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-35864479850d3c6d.exe_", "ssdeep": null, "size": 30797824, "sha512": "8694a054587b4dc4da74caca3a18532ee71ab04ab4d814ce3f9b86b1b8f55c88154bf5df1c53fbec8e7054aa86b379bfa4c0d63db85481a621bf91b3e82c28fa", "md5": "af5df55d3533108d17fd462c1d2fce63" } ], "pid": 2852 }, { "regions": [ { "protect": "rw", "end": "0x00020000", "addr": "0x00010000", "state": 4096, "offset": 24, "type": 262144, "size": 65536 }, { "protect": "r", "end": "0x00021000", "addr": "0x00020000", "state": 4096, "offset": 65584, "type": 262144, "size": 4096 }, { "protect": "rw", "end": "0x00031000", "addr": "0x00030000", "state": 4096, "offset": 69704, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x00041000", "addr": "0x00040000", "state": 4096, "offset": 73824, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x00054000", "addr": "0x00050000", "state": 4096, "offset": 77944, "type": 262144, "size": 16384 }, { "protect": "r", "end": "0x00063000", "addr": "0x00060000", "state": 4096, "offset": 94352, "type": 262144, "size": 12288 }, { "protect": "rw", "end": "0x00071000", "addr": "0x00070000", "state": 4096, "offset": 106664, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x00081000", "addr": "0x00080000", "state": 4096, "offset": 110784, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x00091000", "addr": "0x00090000", "state": 4096, "offset": 114904, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x000a1000", "addr": "0x000a0000", "state": 4096, "offset": 119024, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x000b1000", "addr": "0x000b0000", "state": 4096, "offset": 123144, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x00127000", "addr": "0x000c0000", "state": 4096, "offset": 127264, "type": 262144, "size": 421888 }, { "protect": "rw", "end": "0x00131000", "addr": "0x00130000", "state": 4096, "offset": 549176, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x00141000", "addr": "0x00140000", "state": 4096, "offset": 553296, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x01587000", "addr": "0x00141000", "state": 4096, "offset": 557416, "type": 16777216, "size": 21258240 }, { "protect": "r", "end": "0x019a1000", "addr": "0x01587000", "state": 4096, "offset": 21815680, "type": 16777216, "size": 4300800 }, { "protect": "rwc", "end": "0x019a4000", "addr": "0x019a1000", "state": 4096, "offset": 26116504, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x019a5000", "addr": "0x019a4000", "state": 4096, "offset": 26128816, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x019cf000", "addr": "0x019a5000", "state": 4096, "offset": 26132936, "type": 16777216, "size": 172032 }, { "protect": "rw", "end": "0x019d0000", "addr": "0x019cf000", "state": 4096, "offset": 26304992, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x019d7000", "addr": "0x019d0000", "state": 4096, "offset": 26309112, "type": 16777216, "size": 28672 }, { "protect": "rw", "end": "0x019d8000", "addr": "0x019d7000", "state": 4096, "offset": 26337808, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x019da000", "addr": "0x019d8000", "state": 4096, "offset": 26341928, "type": 16777216, "size": 8192 }, { "protect": "rw", "end": "0x019db000", "addr": "0x019da000", "state": 4096, "offset": 26350144, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x019eb000", "addr": "0x019db000", "state": 4096, "offset": 26354264, "type": 16777216, "size": 65536 }, { "protect": "rw", "end": "0x019ec000", "addr": "0x019eb000", "state": 4096, "offset": 26419824, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x019ed000", "addr": "0x019ec000", "state": 4096, "offset": 26423944, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x019ee000", "addr": "0x019ed000", "state": 4096, "offset": 26428064, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x01ac3000", "addr": "0x019ee000", "state": 4096, "offset": 26432184, "type": 16777216, "size": 872448 }, { "protect": "rw", "end": "0x01afe000", "addr": "0x01ac3000", "state": 4096, "offset": 27304656, "type": 16777216, "size": 241664 }, { "protect": "r", "end": "0x01e9f000", "addr": "0x01afe000", "state": 4096, "offset": 27546344, "type": 16777216, "size": 3805184 }, { "protect": "rx", "end": "0x01ea1000", "addr": "0x01ea0000", "state": 4096, "offset": 31351552, "type": 131072, "size": 4096 }, { "protect": "r", "end": "0x01eb7000", "addr": "0x01eb0000", "state": 4096, "offset": 31355672, "type": 262144, "size": 28672 }, { "protect": "rw", "end": "0x01ec2000", "addr": "0x01ec0000", "state": 4096, "offset": 31384368, "type": 262144, "size": 8192 }, { "protect": "rw", "end": "0x01ed1000", "addr": "0x01ed0000", "state": 4096, "offset": 31392584, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01ee1000", "addr": "0x01ee0000", "state": 4096, "offset": 31396704, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01f30000", "addr": "0x01f2c000", "state": 4096, "offset": 31400824, "type": 131072, "size": 16384 }, { "protect": "rw", "end": "0x01f31000", "addr": "0x01f30000", "state": 4096, "offset": 31417232, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01f41000", "addr": "0x01f40000", "state": 4096, "offset": 31421352, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01f54000", "addr": "0x01f50000", "state": 4096, "offset": 31425472, "type": 131072, "size": 16384 }, { "protect": "rw", "end": "0x01f64000", "addr": "0x01f60000", "state": 4096, "offset": 31441880, "type": 131072, "size": 16384 }, { "protect": "rw", "end": "0x01f80000", "addr": "0x01f70000", "state": 4096, "offset": 31458288, "type": 131072, "size": 65536 }, { "protect": "rwx", "end": "0x01f88000", "addr": "0x01f80000", "state": 4096, "offset": 31523848, "type": 131072, "size": 32768 }, { "protect": "rw", "end": "0x01f91000", "addr": "0x01f90000", "state": 4096, "offset": 31556640, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01fa1000", "addr": "0x01fa0000", "state": 4096, "offset": 31560760, "type": 131072, "size": 4096 }, { "protect": "rwx", "end": "0x01fb8000", "addr": "0x01fb0000", "state": 4096, "offset": 31564880, "type": 131072, "size": 32768 }, { "protect": "rw", "end": "0x01fc1000", "addr": "0x01fc0000", "state": 4096, "offset": 31597672, "type": 131072, "size": 4096 }, { "protect": "rw", "end": "0x01ffb000", "addr": "0x01ff0000", "state": 4096, "offset": 31601792, "type": 131072, "size": 45056 }, { "protect": "rw", "end": "0x02170000", "addr": "0x0215f000", "state": 4096, "offset": 31646872, "type": 131072, "size": 69632 }, { "protect": "r", "end": "0x02175000", "addr": "0x02170000", "state": 4096, "offset": 31716528, "type": 262144, "size": 20480 }, { "protect": "r", "end": "0x022f3000", "addr": "0x022f0000", "state": 4096, "offset": 31737032, "type": 262144, "size": 12288 }, { "protect": "rw", "end": "0x02326000", "addr": "0x02320000", "state": 4096, "offset": 31749344, "type": 131072, "size": 24576 }, { "protect": "r", "end": "0x02521000", "addr": "0x023a0000", "state": 4096, "offset": 31773944, "type": 262144, "size": 1576960 }, { "protect": "rw", "end": "0x0260f000", "addr": "0x02550000", "state": 4096, "offset": 33350928, "type": 131072, "size": 782336 }, { "protect": "r", "end": "0x0269e000", "addr": "0x02650000", "state": 4096, "offset": 34133288, "type": 262144, "size": 319488 }, { "protect": "r", "end": "0x03d1f000", "addr": "0x03a50000", "state": 4096, "offset": 34452800, "type": 262144, "size": 2945024 }, { "protect": "r", "end": "0x04111000", "addr": "0x03d20000", "state": 4096, "offset": 37397848, "type": 262144, "size": 4132864 }, { "protect": "rw", "end": "0x04132000", "addr": "0x04120000", "state": 4096, "offset": 41530736, "type": 131072, "size": 73728 }, { "protect": "r", "end": "0x6e3c1000", "addr": "0x6e3c0000", "state": 4096, "offset": 41604488, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x6e491000", "addr": "0x6e3c1000", "state": 4096, "offset": 41608608, "type": 16777216, "size": 851968 }, { "protect": "rw", "end": "0x6e493000", "addr": "0x6e491000", "state": 4096, "offset": 42460600, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x6e49c000", "addr": "0x6e493000", "state": 4096, "offset": 42468816, "type": 16777216, "size": 36864 }, { "protect": "r", "end": "0x6e4a1000", "addr": "0x6e4a0000", "state": 4096, "offset": 42505704, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x6e4da000", "addr": "0x6e4a1000", "state": 4096, "offset": 42509824, "type": 16777216, "size": 233472 }, { "protect": "rwc", "end": "0x6e4e1000", "addr": "0x6e4da000", "state": 4096, "offset": 42743320, "type": 16777216, "size": 28672 }, { "protect": "rw", "end": "0x6e4e8000", "addr": "0x6e4e1000", "state": 4096, "offset": 42772016, "type": 16777216, "size": 28672 }, { "protect": "rwc", "end": "0x6e4ea000", "addr": "0x6e4e8000", "state": 4096, "offset": 42800712, "type": 16777216, "size": 8192 }, { "protect": "rw", "end": "0x6e4eb000", "addr": "0x6e4ea000", "state": 4096, "offset": 42808928, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x6e4ff000", "addr": "0x6e4eb000", "state": 4096, "offset": 42813048, "type": 16777216, "size": 81920 }, { "protect": "rw", "end": "0x6e500000", "addr": "0x6e4ff000", "state": 4096, "offset": 42894992, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x6e537000", "addr": "0x6e500000", "state": 4096, "offset": 42899112, "type": 16777216, "size": 225280 }, { "protect": "rw", "end": "0x6e538000", "addr": "0x6e537000", "state": 4096, "offset": 43124416, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x6e53b000", "addr": "0x6e538000", "state": 4096, "offset": 43128536, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x6e54c000", "addr": "0x6e53b000", "state": 4096, "offset": 43140848, "type": 16777216, "size": 69632 }, { "protect": "rwc", "end": "0x6e55b000", "addr": "0x6e54c000", "state": 4096, "offset": 43210504, "type": 16777216, "size": 61440 }, { "protect": "rw", "end": "0x6e5a0000", "addr": "0x6e55b000", "state": 4096, "offset": 43271968, "type": 16777216, "size": 282624 }, { "protect": "rwc", "end": "0x6e682000", "addr": "0x6e5a0000", "state": 4096, "offset": 43554616, "type": 16777216, "size": 925696 }, { "protect": "rw", "end": "0x6e684000", "addr": "0x6e682000", "state": 4096, "offset": 44480336, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x6e692000", "addr": "0x6e684000", "state": 4096, "offset": 44488552, "type": 16777216, "size": 57344 }, { "protect": "rw", "end": "0x6e694000", "addr": "0x6e692000", "state": 4096, "offset": 44545920, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x6e69c000", "addr": "0x6e694000", "state": 4096, "offset": 44554136, "type": 16777216, "size": 32768 }, { "protect": "rw", "end": "0x6e69d000", "addr": "0x6e69c000", "state": 4096, "offset": 44586928, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x6e69f000", "addr": "0x6e69d000", "state": 4096, "offset": 44591048, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x6e6a5000", "addr": "0x6e69f000", "state": 4096, "offset": 44599264, "type": 16777216, "size": 24576 }, { "protect": "rx", "end": "0x6f710000", "addr": "0x6f700000", "state": 4096, "offset": 44623864, "type": 131072, "size": 65536 }, { "protect": "r", "end": "0x71d91000", "addr": "0x71d90000", "state": 4096, "offset": 44689424, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x71dc4000", "addr": "0x71d91000", "state": 4096, "offset": 44693544, "type": 16777216, "size": 208896 }, { "protect": "rw", "end": "0x71dc6000", "addr": "0x71dc4000", "state": 4096, "offset": 44902464, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x71dc9000", "addr": "0x71dc6000", "state": 4096, "offset": 44910680, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x71e01000", "addr": "0x71e00000", "state": 4096, "offset": 44922992, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x71f4f000", "addr": "0x71e01000", "state": 4096, "offset": 44927112, "type": 16777216, "size": 1368064 }, { "protect": "r", "end": "0x71fcd000", "addr": "0x71f4f000", "state": 4096, "offset": 46295200, "type": 16777216, "size": 516096 }, { "protect": "rw", "end": "0x71fd0000", "addr": "0x71fcd000", "state": 4096, "offset": 46811320, "type": 16777216, "size": 12288 }, { "protect": "rwc", "end": "0x71fd3000", "addr": "0x71fd0000", "state": 4096, "offset": 46823632, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x71fd9000", "addr": "0x71fd3000", "state": 4096, "offset": 46835944, "type": 16777216, "size": 24576 }, { "protect": "r", "end": "0x71ff2000", "addr": "0x71fd9000", "state": 4096, "offset": 46860544, "type": 16777216, "size": 102400 }, { "protect": "r", "end": "0x72821000", "addr": "0x72820000", "state": 4096, "offset": 46962968, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72824000", "addr": "0x72821000", "state": 4096, "offset": 46967088, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x72825000", "addr": "0x72824000", "state": 4096, "offset": 46979400, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72831000", "addr": "0x72830000", "state": 4096, "offset": 46983520, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72832000", "addr": "0x72831000", "state": 4096, "offset": 46987640, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72833000", "addr": "0x72832000", "state": 4096, "offset": 46991760, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72841000", "addr": "0x72840000", "state": 4096, "offset": 46995880, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72842000", "addr": "0x72841000", "state": 4096, "offset": 47000000, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72843000", "addr": "0x72842000", "state": 4096, "offset": 47004120, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72851000", "addr": "0x72850000", "state": 4096, "offset": 47008240, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72852000", "addr": "0x72851000", "state": 4096, "offset": 47012360, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72853000", "addr": "0x72852000", "state": 4096, "offset": 47016480, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72861000", "addr": "0x72860000", "state": 4096, "offset": 47020600, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72862000", "addr": "0x72861000", "state": 4096, "offset": 47024720, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72863000", "addr": "0x72862000", "state": 4096, "offset": 47028840, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72891000", "addr": "0x72890000", "state": 4096, "offset": 47032960, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7289c000", "addr": "0x72891000", "state": 4096, "offset": 47037080, "type": 16777216, "size": 45056 }, { "protect": "rw", "end": "0x7289d000", "addr": "0x7289c000", "state": 4096, "offset": 47082160, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x7289f000", "addr": "0x7289d000", "state": 4096, "offset": 47086280, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x728a1000", "addr": "0x728a0000", "state": 4096, "offset": 47094496, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x728c1000", "addr": "0x728a1000", "state": 4096, "offset": 47098616, "type": 16777216, "size": 131072 }, { "protect": "rw", "end": "0x728c2000", "addr": "0x728c1000", "state": 4096, "offset": 47229712, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x728c8000", "addr": "0x728c2000", "state": 4096, "offset": 47233832, "type": 16777216, "size": 24576 }, { "protect": "r", "end": "0x728d1000", "addr": "0x728d0000", "state": 4096, "offset": 47258432, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x728e9000", "addr": "0x728d1000", "state": 4096, "offset": 47262552, "type": 16777216, "size": 98304 }, { "protect": "rw", "end": "0x728ea000", "addr": "0x728e9000", "state": 4096, "offset": 47360880, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x728ec000", "addr": "0x728ea000", "state": 4096, "offset": 47365000, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x729d1000", "addr": "0x729d0000", "state": 4096, "offset": 47373216, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x729d4000", "addr": "0x729d1000", "state": 4096, "offset": 47377336, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x729d5000", "addr": "0x729d4000", "state": 4096, "offset": 47389648, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x729e1000", "addr": "0x729e0000", "state": 4096, "offset": 47393768, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x729e2000", "addr": "0x729e1000", "state": 4096, "offset": 47397888, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x729e3000", "addr": "0x729e2000", "state": 4096, "offset": 47402008, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x729f1000", "addr": "0x729f0000", "state": 4096, "offset": 47406128, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72a54000", "addr": "0x729f1000", "state": 4096, "offset": 47410248, "type": 16777216, "size": 405504 }, { "protect": "rw", "end": "0x72a57000", "addr": "0x72a54000", "state": 4096, "offset": 47815776, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x72a59000", "addr": "0x72a57000", "state": 4096, "offset": 47828088, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x72a5a000", "addr": "0x72a59000", "state": 4096, "offset": 47836304, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72a5f000", "addr": "0x72a5a000", "state": 4096, "offset": 47840424, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x72a61000", "addr": "0x72a60000", "state": 4096, "offset": 47860928, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72a63000", "addr": "0x72a61000", "state": 4096, "offset": 47865048, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72a64000", "addr": "0x72a63000", "state": 4096, "offset": 47873264, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72a71000", "addr": "0x72a70000", "state": 4096, "offset": 47877384, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72a73000", "addr": "0x72a71000", "state": 4096, "offset": 47881504, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72a74000", "addr": "0x72a73000", "state": 4096, "offset": 47889720, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72a81000", "addr": "0x72a80000", "state": 4096, "offset": 47893840, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72a83000", "addr": "0x72a81000", "state": 4096, "offset": 47897960, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72a84000", "addr": "0x72a83000", "state": 4096, "offset": 47906176, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72a91000", "addr": "0x72a90000", "state": 4096, "offset": 47910296, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72a92000", "addr": "0x72a91000", "state": 4096, "offset": 47914416, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72a93000", "addr": "0x72a92000", "state": 4096, "offset": 47918536, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72aa1000", "addr": "0x72aa0000", "state": 4096, "offset": 47922656, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72bf4000", "addr": "0x72aa1000", "state": 4096, "offset": 47926776, "type": 16777216, "size": 1388544 }, { "protect": "r", "end": "0x72c5a000", "addr": "0x72bf4000", "state": 4096, "offset": 49315344, "type": 16777216, "size": 417792 }, { "protect": "rw", "end": "0x72c5c000", "addr": "0x72c5a000", "state": 4096, "offset": 49733160, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x72c68000", "addr": "0x72c5c000", "state": 4096, "offset": 49741376, "type": 16777216, "size": 49152 }, { "protect": "rw", "end": "0x72c6c000", "addr": "0x72c68000", "state": 4096, "offset": 49790552, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x72c6e000", "addr": "0x72c6c000", "state": 4096, "offset": 49806960, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x72c6f000", "addr": "0x72c6e000", "state": 4096, "offset": 49815176, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x72c70000", "addr": "0x72c6f000", "state": 4096, "offset": 49819296, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72c8a000", "addr": "0x72c70000", "state": 4096, "offset": 49823416, "type": 16777216, "size": 106496 }, { "protect": "r", "end": "0x72c91000", "addr": "0x72c90000", "state": 4096, "offset": 49929936, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72c94000", "addr": "0x72c91000", "state": 4096, "offset": 49934056, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x72c95000", "addr": "0x72c94000", "state": 4096, "offset": 49946368, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72c97000", "addr": "0x72c95000", "state": 4096, "offset": 49950488, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72ca1000", "addr": "0x72ca0000", "state": 4096, "offset": 49958704, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72ca2000", "addr": "0x72ca1000", "state": 4096, "offset": 49962824, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72ca3000", "addr": "0x72ca2000", "state": 4096, "offset": 49966944, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cb1000", "addr": "0x72cb0000", "state": 4096, "offset": 49971064, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72cb2000", "addr": "0x72cb1000", "state": 4096, "offset": 49975184, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cb3000", "addr": "0x72cb2000", "state": 4096, "offset": 49979304, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cc1000", "addr": "0x72cc0000", "state": 4096, "offset": 49983424, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72cc2000", "addr": "0x72cc1000", "state": 4096, "offset": 49987544, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cc3000", "addr": "0x72cc2000", "state": 4096, "offset": 49991664, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cd1000", "addr": "0x72cd0000", "state": 4096, "offset": 49995784, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72cd2000", "addr": "0x72cd1000", "state": 4096, "offset": 49999904, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72cd3000", "addr": "0x72cd2000", "state": 4096, "offset": 50004024, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72de1000", "addr": "0x72de0000", "state": 4096, "offset": 50008144, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72dee000", "addr": "0x72de1000", "state": 4096, "offset": 50012264, "type": 16777216, "size": 53248 }, { "protect": "rw", "end": "0x72df3000", "addr": "0x72dee000", "state": 4096, "offset": 50065536, "type": 16777216, "size": 20480 }, { "protect": "rwc", "end": "0x72df7000", "addr": "0x72df3000", "state": 4096, "offset": 50086040, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x72df9000", "addr": "0x72df7000", "state": 4096, "offset": 50102448, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72e31000", "addr": "0x72e30000", "state": 4096, "offset": 50110664, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72e32000", "addr": "0x72e31000", "state": 4096, "offset": 50114784, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72e33000", "addr": "0x72e32000", "state": 4096, "offset": 50118904, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72e41000", "addr": "0x72e40000", "state": 4096, "offset": 50123024, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72e4e000", "addr": "0x72e41000", "state": 4096, "offset": 50127144, "type": 16777216, "size": 53248 }, { "protect": "rw", "end": "0x72e4f000", "addr": "0x72e4e000", "state": 4096, "offset": 50180416, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72e51000", "addr": "0x72e4f000", "state": 4096, "offset": 50184536, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72e61000", "addr": "0x72e60000", "state": 4096, "offset": 50192752, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72e63000", "addr": "0x72e61000", "state": 4096, "offset": 50196872, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x72e64000", "addr": "0x72e63000", "state": 4096, "offset": 50205088, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72e71000", "addr": "0x72e70000", "state": 4096, "offset": 50209208, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72e7f000", "addr": "0x72e71000", "state": 4096, "offset": 50213328, "type": 16777216, "size": 57344 }, { "protect": "rw", "end": "0x72e80000", "addr": "0x72e7f000", "state": 4096, "offset": 50270696, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72e83000", "addr": "0x72e80000", "state": 4096, "offset": 50274816, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x72e91000", "addr": "0x72e90000", "state": 4096, "offset": 50287128, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72ea3000", "addr": "0x72e91000", "state": 4096, "offset": 50291248, "type": 16777216, "size": 73728 }, { "protect": "r", "end": "0x72ea9000", "addr": "0x72ea3000", "state": 4096, "offset": 50365000, "type": 16777216, "size": 24576 }, { "protect": "rw", "end": "0x72eaa000", "addr": "0x72ea9000", "state": 4096, "offset": 50389600, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72ead000", "addr": "0x72eaa000", "state": 4096, "offset": 50393720, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x72eb1000", "addr": "0x72eb0000", "state": 4096, "offset": 50406032, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x72eeb000", "addr": "0x72eb1000", "state": 4096, "offset": 50410152, "type": 16777216, "size": 237568 }, { "protect": "rw", "end": "0x72eec000", "addr": "0x72eeb000", "state": 4096, "offset": 50647744, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x72eed000", "addr": "0x72eec000", "state": 4096, "offset": 50651864, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x72ef2000", "addr": "0x72eed000", "state": 4096, "offset": 50655984, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x730a1000", "addr": "0x730a0000", "state": 4096, "offset": 50676488, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x730b4000", "addr": "0x730a1000", "state": 4096, "offset": 50680608, "type": 16777216, "size": 77824 }, { "protect": "rw", "end": "0x730b5000", "addr": "0x730b4000", "state": 4096, "offset": 50758456, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x730b7000", "addr": "0x730b5000", "state": 4096, "offset": 50762576, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x730c1000", "addr": "0x730c0000", "state": 4096, "offset": 50770792, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x730cc000", "addr": "0x730c1000", "state": 4096, "offset": 50774912, "type": 16777216, "size": 45056 }, { "protect": "rw", "end": "0x730cd000", "addr": "0x730cc000", "state": 4096, "offset": 50819992, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x730cf000", "addr": "0x730cd000", "state": 4096, "offset": 50824112, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x73331000", "addr": "0x73330000", "state": 4096, "offset": 50832328, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7349d000", "addr": "0x73331000", "state": 4096, "offset": 50836448, "type": 16777216, "size": 1490944 }, { "protect": "rw", "end": "0x7349e000", "addr": "0x7349d000", "state": 4096, "offset": 52327416, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x734a1000", "addr": "0x7349e000", "state": 4096, "offset": 52331536, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x734a2000", "addr": "0x734a1000", "state": 4096, "offset": 52343848, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x734a3000", "addr": "0x734a2000", "state": 4096, "offset": 52347968, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x734a5000", "addr": "0x734a3000", "state": 4096, "offset": 52352088, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x734a6000", "addr": "0x734a5000", "state": 4096, "offset": 52360304, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x734c1000", "addr": "0x734a6000", "state": 4096, "offset": 52364424, "type": 16777216, "size": 110592 }, { "protect": "r", "end": "0x738e1000", "addr": "0x738e0000", "state": 4096, "offset": 52475040, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x738e2000", "addr": "0x738e1000", "state": 4096, "offset": 52479160, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x738e3000", "addr": "0x738e2000", "state": 4096, "offset": 52483280, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x73951000", "addr": "0x73950000", "state": 4096, "offset": 52487400, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x73956000", "addr": "0x73951000", "state": 4096, "offset": 52491520, "type": 16777216, "size": 20480 }, { "protect": "rw", "end": "0x73957000", "addr": "0x73956000", "state": 4096, "offset": 52512024, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x73959000", "addr": "0x73957000", "state": 4096, "offset": 52516144, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x73971000", "addr": "0x73970000", "state": 4096, "offset": 52524360, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x73974000", "addr": "0x73971000", "state": 4096, "offset": 52528480, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x73975000", "addr": "0x73974000", "state": 4096, "offset": 52540792, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x73978000", "addr": "0x73975000", "state": 4096, "offset": 52544912, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x73981000", "addr": "0x73980000", "state": 4096, "offset": 52557224, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x739ce000", "addr": "0x73981000", "state": 4096, "offset": 52561344, "type": 16777216, "size": 315392 }, { "protect": "rw", "end": "0x739cf000", "addr": "0x739ce000", "state": 4096, "offset": 52876760, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x739d2000", "addr": "0x739cf000", "state": 4096, "offset": 52880880, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x739d3000", "addr": "0x739d2000", "state": 4096, "offset": 52893192, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x739dc000", "addr": "0x739d3000", "state": 4096, "offset": 52897312, "type": 16777216, "size": 36864 }, { "protect": "r", "end": "0x739e1000", "addr": "0x739e0000", "state": 4096, "offset": 52934200, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x73a19000", "addr": "0x739e1000", "state": 4096, "offset": 52938320, "type": 16777216, "size": 229376 }, { "protect": "rw", "end": "0x73a1b000", "addr": "0x73a19000", "state": 4096, "offset": 53167720, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x73a1f000", "addr": "0x73a1b000", "state": 4096, "offset": 53175936, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x74f91000", "addr": "0x74f90000", "state": 4096, "offset": 53192344, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x74f99000", "addr": "0x74f91000", "state": 4096, "offset": 53196464, "type": 16777216, "size": 32768 }, { "protect": "rw", "end": "0x74f9a000", "addr": "0x74f99000", "state": 4096, "offset": 53229256, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x74f9c000", "addr": "0x74f9a000", "state": 4096, "offset": 53233376, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x74fa1000", "addr": "0x74fa0000", "state": 4096, "offset": 53241592, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x74fc6000", "addr": "0x74fb0000", "state": 4096, "offset": 53245712, "type": 16777216, "size": 90112 }, { "protect": "rw", "end": "0x74fd1000", "addr": "0x74fd0000", "state": 4096, "offset": 53335848, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x74fe1000", "addr": "0x74fe0000", "state": 4096, "offset": 53339968, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x74ff2000", "addr": "0x74ff0000", "state": 4096, "offset": 53344088, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x751e1000", "addr": "0x751e0000", "state": 4096, "offset": 53352304, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75287000", "addr": "0x751f0000", "state": 4096, "offset": 53356424, "type": 16777216, "size": 618496 }, { "protect": "rx", "end": "0x75293000", "addr": "0x75290000", "state": 4096, "offset": 53974944, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x752a1000", "addr": "0x752a0000", "state": 4096, "offset": 53987256, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x752b4000", "addr": "0x752b0000", "state": 4096, "offset": 53991376, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x752c5000", "addr": "0x752c0000", "state": 4096, "offset": 54007784, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x752d1000", "addr": "0x752d0000", "state": 4096, "offset": 54028288, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7534d000", "addr": "0x752e0000", "state": 4096, "offset": 54032408, "type": 16777216, "size": 446464 }, { "protect": "rw", "end": "0x75351000", "addr": "0x75350000", "state": 4096, "offset": 54478896, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x753bb000", "addr": "0x75360000", "state": 4096, "offset": 54483016, "type": 16777216, "size": 372736 }, { "protect": "r", "end": "0x753c4000", "addr": "0x753c0000", "state": 4096, "offset": 54855776, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x753d1000", "addr": "0x753d0000", "state": 4096, "offset": 54872184, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7542c000", "addr": "0x753d1000", "state": 4096, "offset": 54876304, "type": 16777216, "size": 372736 }, { "protect": "rw", "end": "0x7542e000", "addr": "0x7542c000", "state": 4096, "offset": 55249064, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x7546d000", "addr": "0x7542e000", "state": 4096, "offset": 55257280, "type": 16777216, "size": 258048 }, { "protect": "r", "end": "0x75471000", "addr": "0x75470000", "state": 4096, "offset": 55515352, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75473000", "addr": "0x75471000", "state": 4096, "offset": 55519472, "type": 16777216, "size": 8192 }, { "protect": "rw", "end": "0x75474000", "addr": "0x75473000", "state": 4096, "offset": 55527688, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75476000", "addr": "0x75474000", "state": 4096, "offset": 55531808, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x75721000", "addr": "0x75720000", "state": 4096, "offset": 55540024, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75734000", "addr": "0x75721000", "state": 4096, "offset": 55544144, "type": 16777216, "size": 77824 }, { "protect": "rw", "end": "0x75735000", "addr": "0x75734000", "state": 4096, "offset": 55621992, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x75737000", "addr": "0x75735000", "state": 4096, "offset": 55626112, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x75739000", "addr": "0x75737000", "state": 4096, "offset": 55634328, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x75761000", "addr": "0x75760000", "state": 4096, "offset": 55642544, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x758a7000", "addr": "0x75761000", "state": 4096, "offset": 55646664, "type": 16777216, "size": 1335296 }, { "protect": "rw", "end": "0x758ab000", "addr": "0x758a7000", "state": 4096, "offset": 56981984, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x758bd000", "addr": "0x758ab000", "state": 4096, "offset": 56998392, "type": 16777216, "size": 73728 }, { "protect": "r", "end": "0x759a1000", "addr": "0x759a0000", "state": 4096, "offset": 57072144, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75a25000", "addr": "0x759a1000", "state": 4096, "offset": 57076264, "type": 16777216, "size": 540672 }, { "protect": "rw", "end": "0x75a26000", "addr": "0x75a25000", "state": 4096, "offset": 57616960, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x75a27000", "addr": "0x75a26000", "state": 4096, "offset": 57621080, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75a6d000", "addr": "0x75a27000", "state": 4096, "offset": 57625200, "type": 16777216, "size": 286720 }, { "protect": "r", "end": "0x75a71000", "addr": "0x75a70000", "state": 4096, "offset": 57911944, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75a78000", "addr": "0x75a71000", "state": 4096, "offset": 57916064, "type": 16777216, "size": 28672 }, { "protect": "rw", "end": "0x75a79000", "addr": "0x75a78000", "state": 4096, "offset": 57944760, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75a7b000", "addr": "0x75a79000", "state": 4096, "offset": 57948880, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x75a81000", "addr": "0x75a80000", "state": 4096, "offset": 57957096, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75ac1000", "addr": "0x75a81000", "state": 4096, "offset": 57961216, "type": 16777216, "size": 262144 }, { "protect": "rw", "end": "0x75ac3000", "addr": "0x75ac1000", "state": 4096, "offset": 58223384, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x75ac7000", "addr": "0x75ac3000", "state": 4096, "offset": 58231600, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x75c91000", "addr": "0x75c90000", "state": 4096, "offset": 58248008, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75cb7000", "addr": "0x75ca0000", "state": 4096, "offset": 58252128, "type": 16777216, "size": 94208 }, { "protect": "rw", "end": "0x75cc1000", "addr": "0x75cc0000", "state": 4096, "offset": 58346360, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75cd5000", "addr": "0x75cd0000", "state": 4096, "offset": 58350480, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x75ce1000", "addr": "0x75ce0000", "state": 4096, "offset": 58370984, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75cf1000", "addr": "0x75cf0000", "state": 4096, "offset": 58375104, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75d64000", "addr": "0x75cf1000", "state": 4096, "offset": 58379224, "type": 16777216, "size": 471040 }, { "protect": "rw", "end": "0x75d68000", "addr": "0x75d64000", "state": 4096, "offset": 58850288, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x75d91000", "addr": "0x75d68000", "state": 4096, "offset": 58866696, "type": 16777216, "size": 167936 }, { "protect": "r", "end": "0x75db1000", "addr": "0x75db0000", "state": 4096, "offset": 59034656, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x75e0a000", "addr": "0x75dc0000", "state": 4096, "offset": 59038776, "type": 16777216, "size": 303104 }, { "protect": "rw", "end": "0x75e11000", "addr": "0x75e10000", "state": 4096, "offset": 59341904, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75e21000", "addr": "0x75e20000", "state": 4096, "offset": 59346024, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x75e32000", "addr": "0x75e30000", "state": 4096, "offset": 59350144, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x76100000", "addr": "0x760f0000", "state": 4096, "offset": 59358360, "type": 16777216, "size": 65536 }, { "protect": "rx", "end": "0x761c1000", "addr": "0x76100000", "state": 4096, "offset": 59423920, "type": 16777216, "size": 790528 }, { "protect": "rw", "end": "0x761d1000", "addr": "0x761d0000", "state": 4096, "offset": 60214472, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x761d2000", "addr": "0x761d1000", "state": 4096, "offset": 60218592, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x761e1000", "addr": "0x761e0000", "state": 4096, "offset": 60222712, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x761fb000", "addr": "0x761f0000", "state": 4096, "offset": 60226832, "type": 16777216, "size": 45056 }, { "protect": "r", "end": "0x76411000", "addr": "0x76410000", "state": 4096, "offset": 60271912, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x76417000", "addr": "0x76411000", "state": 4096, "offset": 60276032, "type": 16777216, "size": 24576 }, { "protect": "rw", "end": "0x76418000", "addr": "0x76417000", "state": 4096, "offset": 60300632, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x7641a000", "addr": "0x76418000", "state": 4096, "offset": 60304752, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x76421000", "addr": "0x76420000", "state": 4096, "offset": 60312968, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x76433000", "addr": "0x76421000", "state": 4096, "offset": 60317088, "type": 16777216, "size": 73728 }, { "protect": "rw", "end": "0x76434000", "addr": "0x76433000", "state": 4096, "offset": 60390840, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x76437000", "addr": "0x76434000", "state": 4096, "offset": 60394960, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x76451000", "addr": "0x76450000", "state": 4096, "offset": 60407272, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x764d8000", "addr": "0x76451000", "state": 4096, "offset": 60411392, "type": 16777216, "size": 552960 }, { "protect": "rw", "end": "0x764da000", "addr": "0x764d8000", "state": 4096, "offset": 60964376, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x764e1000", "addr": "0x764da000", "state": 4096, "offset": 60972592, "type": 16777216, "size": 28672 }, { "protect": "r", "end": "0x764f1000", "addr": "0x764f0000", "state": 4096, "offset": 61001288, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x76542000", "addr": "0x764f1000", "state": 4096, "offset": 61005408, "type": 16777216, "size": 331776 }, { "protect": "rw", "end": "0x76543000", "addr": "0x76542000", "state": 4096, "offset": 61337208, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x76547000", "addr": "0x76543000", "state": 4096, "offset": 61341328, "type": 16777216, "size": 16384 }, { "protect": "r", "end": "0x76551000", "addr": "0x76550000", "state": 4096, "offset": 61357736, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7691c000", "addr": "0x76551000", "state": 4096, "offset": 61361856, "type": 16777216, "size": 3977216 }, { "protect": "rw", "end": "0x76920000", "addr": "0x7691c000", "state": 4096, "offset": 65339096, "type": 16777216, "size": 16384 }, { "protect": "rwc", "end": "0x76923000", "addr": "0x76920000", "state": 4096, "offset": 65355504, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x7719c000", "addr": "0x76923000", "state": 4096, "offset": 65367816, "type": 16777216, "size": 8884224 }, { "protect": "r", "end": "0x771e1000", "addr": "0x771e0000", "state": 4096, "offset": 74252064, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x771e9000", "addr": "0x771e1000", "state": 4096, "offset": 74256184, "type": 16777216, "size": 32768 }, { "protect": "rw", "end": "0x771ea000", "addr": "0x771e9000", "state": 4096, "offset": 74288976, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x771ec000", "addr": "0x771ea000", "state": 4096, "offset": 74293096, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x77251000", "addr": "0x77250000", "state": 4096, "offset": 74301312, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x772f0000", "addr": "0x77251000", "state": 4096, "offset": 74305432, "type": 16777216, "size": 651264 }, { "protect": "rw", "end": "0x772f1000", "addr": "0x772f0000", "state": 4096, "offset": 74956720, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x772f2000", "addr": "0x772f1000", "state": 4096, "offset": 74960840, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x772f4000", "addr": "0x772f2000", "state": 4096, "offset": 74964960, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x772f7000", "addr": "0x772f4000", "state": 4096, "offset": 74973176, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x772fc000", "addr": "0x772f7000", "state": 4096, "offset": 74985488, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x77521000", "addr": "0x77520000", "state": 4096, "offset": 75005992, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x7761e000", "addr": "0x77521000", "state": 4096, "offset": 75010112, "type": 16777216, "size": 1036288 }, { "protect": "r", "end": "0x7764d000", "addr": "0x7761e000", "state": 4096, "offset": 76046424, "type": 16777216, "size": 192512 }, { "protect": "rw", "end": "0x7764e000", "addr": "0x7764d000", "state": 4096, "offset": 76238960, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x7764f000", "addr": "0x7764e000", "state": 4096, "offset": 76243080, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x77650000", "addr": "0x7764f000", "state": 4096, "offset": 76247200, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x77652000", "addr": "0x77650000", "state": 4096, "offset": 76251320, "type": 16777216, "size": 8192 }, { "protect": "rw", "end": "0x77653000", "addr": "0x77652000", "state": 4096, "offset": 76259536, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x77656000", "addr": "0x77653000", "state": 4096, "offset": 76263656, "type": 16777216, "size": 12288 }, { "protect": "rw", "end": "0x77658000", "addr": "0x77656000", "state": 4096, "offset": 76275968, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x77659000", "addr": "0x77658000", "state": 4096, "offset": 76284184, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x7765b000", "addr": "0x77659000", "state": 4096, "offset": 76288304, "type": 16777216, "size": 8192 }, { "protect": "r", "end": "0x776ca000", "addr": "0x7765b000", "state": 4096, "offset": 76296520, "type": 16777216, "size": 454656 }, { "protect": "r", "end": "0x77701000", "addr": "0x77700000", "state": 4096, "offset": 76751200, "type": 16777216, "size": 4096 }, { "protect": "rx", "end": "0x777e6000", "addr": "0x77710000", "state": 4096, "offset": 76755320, "type": 16777216, "size": 876544 }, { "protect": "rx", "end": "0x777f1000", "addr": "0x777f0000", "state": 4096, "offset": 77631888, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x77801000", "addr": "0x77800000", "state": 4096, "offset": 77636008, "type": 16777216, "size": 4096 }, { "protect": "r", "end": "0x77802000", "addr": "0x77801000", "state": 4096, "offset": 77640128, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x77803000", "addr": "0x77802000", "state": 4096, "offset": 77644248, "type": 16777216, "size": 4096 }, { "protect": "rwc", "end": "0x77804000", "addr": "0x77803000", "state": 4096, "offset": 77648368, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x77806000", "addr": "0x77804000", "state": 4096, "offset": 77652488, "type": 16777216, "size": 8192 }, { "protect": "rwc", "end": "0x77807000", "addr": "0x77806000", "state": 4096, "offset": 77660704, "type": 16777216, "size": 4096 }, { "protect": "rw", "end": "0x7780a000", "addr": "0x77807000", "state": 4096, "offset": 77664824, "type": 16777216, "size": 12288 }, { "protect": "r", "end": "0x7786b000", "addr": "0x77810000", "state": 4096, "offset": 77677136, "type": 16777216, "size": 372736 }, { "protect": "r", "end": "0x77875000", "addr": "0x77870000", "state": 4096, "offset": 78049896, "type": 16777216, "size": 20480 }, { "protect": "r", "end": "0x7efe5000", "addr": "0x7efe0000", "state": 4096, "offset": 78070400, "type": 262144, "size": 20480 }, { "protect": "r", "end": "0x7ffe1000", "addr": "0x7ffe0000", "state": 4096, "offset": 78090904, "type": 131072, "size": 4096 } ], "yara": [], "num": 2, "file": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-2.dmp", "urls": [ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings", "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date", "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2", "https://portal.office.com/" ], "extracted": [ { "yara": [ { "meta": { "description": "(no description)" }, "name": "loki", "offsets": { "var1": [ [ 91, 0 ], [ 22964266, 0 ], [ 23078871, 0 ], [ 23079025, 0 ], [ 23148175, 0 ], [ 23150376, 0 ], [ 23380927, 0 ], [ 23381060, 0 ], [ 23381406, 0 ], [ 23381484, 0 ], [ 23384532, 0 ], [ 23518731, 0 ], [ 23519668, 0 ], [ 23522789, 0 ], [ 23522811, 0 ], [ 23529820, 0 ], [ 23533114, 0 ], [ 23537053, 0 ], [ 23572944, 0 ], [ 23820720, 0 ], [ 23831865, 0 ], [ 23831889, 0 ], [ 23849301, 0 ] ] }, "strings": [ "Y2Fubm90" ] } ], "sha1": "0817974a72ce477537dc197d168f7abd0df8cef7", "name": "2852-0817974a72ce4775.exe_", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "sha256": "89db6b9428fbf7ecdbf59be0d0757bf00fe63ced3ff24646431b70995c64b1b4", "urls": [ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings", "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date", "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2", "https://portal.office.com/" ], "crc32": "59BB0CAB", "path": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-0817974a72ce4775.exe_", "ssdeep": null, "size": 30797824, "sha512": "2bb5834b8302d4b153153c57d6e23f3d28410e288b74812d90cbbbcf1069e0a874849e88ad3997ebef6c97ef1fa984fd297ad7ec32c8dab94406c2142828e107", "md5": "b5922ec6f3b94cfdb7135ef77b09677d" } ], "pid": 2852 } ], "target": { "category": "file", "file": { "yara": [], "sha1": "398ed1939fa77de6c1f2ec3ada1446431fe3bb70", "name": "test.msg", "type": "CDFV2 Microsoft Outlook Message", "sha256": "0495ee8bf16f65882f016317a912ebf033d2dfd204f48fd081a190f7093b0052", "urls": [ "https://google.fr" ], "crc32": "1A87D00F", "path": "/home/jean/.cuckoo/storage/binaries/0495ee8bf16f65882f016317a912ebf033d2dfd204f48fd081a190f7093b0052", "ssdeep": null, "size": 24576, "sha512": "1f930ca0496ed41325ac3ab4ebf930b08b80bdd8ffa6a4a38d31bec32c472ab60a338d2b7284696c69ac1e1687dd7d09089812832f825193a242b20715c21a08", "md5": "2236de30c6b066ad5be3544ff6512c69" } }, "extracted": [ { "category": "script", "yara": [], "info": {}, "pid": 2916, "raw": "/home/jean/.cuckoo/storage/analyses/5/extracted/0.bat", "program": "cmd", "first_seen": 1613475151.765625 } ], "virustotal": { "summary": { "error": "resource has not been scanned yet" } }, "network": { "mitm": [] }, "signatures": [ { "families": [], "description": "One or more processes crashed", "severity": 1, "ttp": {}, "markcount": 1, "references": [], "marks": [ { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "RtlpNtEnumerateSubKey+0x2a2c isupper-0x4e13 ntdll+0xcf761 @ 0x777cf761\nRtlpNtEnumerateSubKey+0x2b0c isupper-0x4d33 ntdll+0xcf841 @ 0x777cf841\nRtlpNtEnumerateSubKey+0x2d75 isupper-0x4aca ntdll+0xcfaaa @ 0x777cfaaa\nRtlUlonglongByteSwap+0xc68f RtlFreeOemString-0x15283 ntdll+0x8939f @ 0x7778939f\nRtlDecodeSystemPointer+0x5db RtlCompareUnicodeStrings-0x1f7 ntdll+0x3ad93 @ 0x7773ad93\nRtlDecodeSystemPointer+0x546 RtlCompareUnicodeStrings-0x28c ntdll+0x3acfe @ 0x7773acfe\nRtlQueryPerformanceCounter+0xadd RtlDeleteCriticalSection-0x92c ntdll+0x33441 @ 0x77733441\nLdrUnlockLoaderLock+0xf6a RtlInitUnicodeStringEx-0x1c0 ntdll+0x37f0c @ 0x77737f0c\nLdrUnlockLoaderLock+0x1af RtlInitUnicodeStringEx-0xf7b ntdll+0x37151 @ 0x77737151\nRtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e172 @ 0x7772e172\nmalloc+0x2b free-0x15 ucrtbase+0x2f7cb @ 0x6e3ef7cb\n_IsOutlookOutsideWinMain@0-0x8114f outlook+0x3005 @ 0x143005\n_IsOutlookOutsideWinMain@0-0x80f62 outlook+0x31f2 @ 0x1431f2\n_IsOutlookOutsideWinMain@0-0x80046 outlook+0x410e @ 0x14410e\n_IsOutlookOutsideWinMain@0-0x800f2 outlook+0x4062 @ 0x144062\n_IsOutlookOutsideWinMain@0-0x7cc79 outlook+0x74db @ 0x1474db\n_initterm+0x6d _rmtmp-0x63 ucrtbase+0x272cd @ 0x6e3e72cd\n_IsOutlookOutsideWinMain@0-0x83086 outlook+0x10ce @ 0x1410ce\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x7610336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x777398f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x777398c5", "registers": { "esp": 35059896, "edi": 39903200, "eax": 35059912, "ebp": 35060016, "edx": 0, "ebx": 0, "esi": 39124992, "ecx": 2147483647 }, "exception": { "instruction_r": "eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff", "symbol": "RtlpNtEnumerateSubKey+0x1b26 isupper-0x5d19 ntdll+0xce85b", "instruction": "jmp 0x777ce86f", "module": "ntdll.dll", "exception_code": "0xc0000374", "offset": 845915, "address": "0x777ce85b" } }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, "pid": 2852, "type": "call", "cid": 8 } ], "name": "raises_exception" }, { "families": [], "description": "Potentially malicious URLs were found in the process memory dump", "severity": 2, "ttp": {}, "markcount": 4, "references": [], "marks": [ { "category": "url", "ioc": "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings", "type": "ioc", "description": null }, { "category": "url", "ioc": "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date", "type": "ioc", "description": null }, { "category": "url", "ioc": "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2", "type": "ioc", "description": null }, { "category": "url", "ioc": "https://portal.office.com/", "type": "ioc", "description": null } ], "name": "memdump_urls" } ], "behavior": { "generic": [ { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 504, "summary": {}, "first_seen": 1613475151.515625, "ppid": 396 }, { "process_path": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "process_name": "OUTLOOK.EXE", "pid": 2852, "summary": {}, "first_seen": 1613475152.96875, "ppid": 2916 }, { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 2916, "summary": {}, "first_seen": 1613475151.765625, "ppid": 3848 } ], "apistats": { "2852": { "NtCreateSection": 1, "GetSystemTimeAsFileTime": 1, "NtUnmapViewOfSection": 1, "LdrGetProcedureAddress": 3, "SetUnhandledExceptionFilter": 1, "__exception__": 1, "NtFreeVirtualMemory": 1, "NtClose": 4, "NtAllocateVirtualMemory": 3, "NtTerminateProcess": 1, "LdrGetDllHandle": 1, "NtMapViewOfSection": 1 } }, "processes": [ { "process_path": "C:\\Windows\\System32\\lsass.exe", "calls": [], "track": false, "pid": 504, "process_name": "lsass.exe", "command_line": "C:\\Windows\\system32\\lsass.exe", "modules": [ { "basename": "lsass.exe", "imgsize": 49152, "baseaddr": "0xffea0000", "filepath": "C:\\Windows\\system32\\lsass.exe" }, { "basename": "ntdll.dll", "imgsize": 1744896, "baseaddr": "0x77520000", "filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll" }, { "basename": "kernel32.dll", "imgsize": 1175552, "baseaddr": "0x77400000", "filepath": "C:\\Windows\\system32\\kernel32.dll" }, { "basename": "KERNELBASE.dll", "imgsize": 434176, "baseaddr": "0x7fefd360000", "filepath": "C:\\Windows\\system32\\KERNELBASE.dll" }, { "basename": "msvcrt.dll", "imgsize": 651264, "baseaddr": "0x7fefd680000", "filepath": "C:\\Windows\\system32\\msvcrt.dll" }, { "basename": "RPCRT4.dll", "imgsize": 1232896, "baseaddr": "0x7fefe710000", "filepath": "C:\\Windows\\system32\\RPCRT4.dll" }, { "basename": "SspiSrv.dll", "imgsize": 45056, "baseaddr": "0x7fefcfd0000", "filepath": "C:\\Windows\\system32\\SspiSrv.dll" }, { "basename": "lsasrv.dll", "imgsize": 1482752, "baseaddr": "0x7fefce50000", "filepath": "C:\\Windows\\system32\\lsasrv.dll" }, { "basename": "sechost.dll", "imgsize": 126976, "baseaddr": "0x7fefe480000", "filepath": "C:\\Windows\\SYSTEM32\\sechost.dll" }, { "basename": "SspiCli.dll", "imgsize": 151552, "baseaddr": "0x7fefcfe0000", "filepath": "C:\\Windows\\system32\\SspiCli.dll" }, { "basename": "ADVAPI32.dll", "imgsize": 897024, "baseaddr": "0x7fefd9d0000", "filepath": "C:\\Windows\\system32\\ADVAPI32.dll" }, { "basename": "USER32.dll", "imgsize": 1024000, "baseaddr": "0x77300000", "filepath": "C:\\Windows\\system32\\USER32.dll" }, { "basename": "GDI32.dll", "imgsize": 421888, "baseaddr": "0x7feff7c0000", "filepath": "C:\\Windows\\system32\\GDI32.dll" }, { "basename": "LPK.dll", "imgsize": 57344, "baseaddr": "0x7fefd5d0000", "filepath": "C:\\Windows\\system32\\LPK.dll" }, { "basename": "USP10.dll", "imgsize": 831488, "baseaddr": "0x7fefdab0000", "filepath": "C:\\Windows\\system32\\USP10.dll" }, { "basename": "SAMSRV.dll", "imgsize": 790528, "baseaddr": "0x7fefcd50000", "filepath": "C:\\Windows\\system32\\SAMSRV.dll" }, { "basename": "cryptdll.dll", "imgsize": 81920, "baseaddr": "0x7fefcd20000", "filepath": "C:\\Windows\\system32\\cryptdll.dll" }, { "basename": "MSASN1.dll", "imgsize": 61440, "baseaddr": "0x7fefd210000", "filepath": "C:\\Windows\\system32\\MSASN1.dll" }, { "basename": "wevtapi.dll", "imgsize": 446464, "baseaddr": "0x7fefcc40000", "filepath": "C:\\Windows\\system32\\wevtapi.dll" }, { "basename": "IMM32.DLL", "imgsize": 188416, "baseaddr": "0x7fefde50000", "filepath": "C:\\Windows\\system32\\IMM32.DLL" }, { "basename": "MSCTF.dll", "imgsize": 1085440, "baseaddr": "0x7fefe840000", "filepath": "C:\\Windows\\system32\\MSCTF.dll" }, { "basename": "cngaudit.dll", "imgsize": 36864, "baseaddr": "0x7fefcc00000", "filepath": "C:\\Windows\\system32\\cngaudit.dll" }, { "basename": "AUTHZ.dll", "imgsize": 192512, "baseaddr": "0x7fefcbd0000", "filepath": "C:\\Windows\\system32\\AUTHZ.dll" }, { "basename": "ncrypt.dll", "imgsize": 327680, "baseaddr": "0x7fefcb80000", "filepath": "C:\\Windows\\system32\\ncrypt.dll" }, { "basename": "bcrypt.dll", "imgsize": 139264, "baseaddr": "0x7fefcb50000", "filepath": "C:\\Windows\\system32\\bcrypt.dll" }, { "basename": "msprivs.DLL", "imgsize": 8192, "baseaddr": "0x74f80000", "filepath": "C:\\Windows\\system32\\msprivs.DLL" }, { "basename": "netjoin.dll", "imgsize": 204800, "baseaddr": "0x7fefcb10000", "filepath": "C:\\Windows\\system32\\netjoin.dll" }, { "basename": "negoexts.DLL", "imgsize": 147456, "baseaddr": "0x7fefcae0000", "filepath": "C:\\Windows\\system32\\negoexts.DLL" }, { "basename": "Secur32.dll", "imgsize": 45056, "baseaddr": "0x7fefcd40000", "filepath": "C:\\Windows\\system32\\Secur32.dll" }, { "basename": "cryptbase.dll", "imgsize": 61440, "baseaddr": "0x7fefd070000", "filepath": "C:\\Windows\\system32\\cryptbase.dll" }, { "basename": "kerberos.DLL", "imgsize": 753664, "baseaddr": "0x7fefca20000", "filepath": "C:\\Windows\\system32\\kerberos.DLL" }, { "basename": "CRYPTSP.dll", "imgsize": 98304, "baseaddr": "0x7fefca00000", "filepath": "C:\\Windows\\system32\\CRYPTSP.dll" }, { "basename": "WS2_32.dll", "imgsize": 315392, "baseaddr": "0x7fefe100000", "filepath": "C:\\Windows\\system32\\WS2_32.dll" }, { "basename": "NSI.dll", "imgsize": 32768, "baseaddr": "0x7fefe520000", "filepath": "C:\\Windows\\system32\\NSI.dll" }, { "basename": "mswsock.dll", "imgsize": 348160, "baseaddr": "0x7fefc9a0000", "filepath": "C:\\Windows\\system32\\mswsock.dll" }, { "basename": "wship6.dll", "imgsize": 28672, "baseaddr": "0x7fefc990000", "filepath": "C:\\Windows\\System32\\wship6.dll" }, { "basename": "msv1_0.DLL", "imgsize": 335872, "baseaddr": "0x7fefc930000", "filepath": "C:\\Windows\\system32\\msv1_0.DLL" }, { "basename": "netlogon.DLL", "imgsize": 712704, "baseaddr": "0x7fefc880000", "filepath": "C:\\Windows\\system32\\netlogon.DLL" }, { "basename": "DNSAPI.dll", "imgsize": 372736, "baseaddr": "0x7fefc820000", "filepath": "C:\\Windows\\system32\\DNSAPI.dll" }, { "basename": "logoncli.dll", "imgsize": 196608, "baseaddr": "0x7fefc7f0000", "filepath": "C:\\Windows\\system32\\logoncli.dll" }, { "basename": "schannel.DLL", "imgsize": 360448, "baseaddr": "0x7fefc790000", "filepath": "C:\\Windows\\system32\\schannel.DLL" }, { "basename": "CRYPT32.dll", "imgsize": 1495040, "baseaddr": "0x7fefd3e0000", "filepath": "C:\\Windows\\system32\\CRYPT32.dll" }, { "basename": "wdigest.DLL", "imgsize": 221184, "baseaddr": "0x7fefc750000", "filepath": "C:\\Windows\\system32\\wdigest.DLL" }, { "basename": "rsaenh.dll", "imgsize": 290816, "baseaddr": "0x7fefc700000", "filepath": "C:\\Windows\\system32\\rsaenh.dll" }, { "basename": "tspkg.DLL", "imgsize": 102400, "baseaddr": "0x7fefc6e0000", "filepath": "C:\\Windows\\system32\\tspkg.DLL" }, { "basename": "pku2u.DLL", "imgsize": 282624, "baseaddr": "0x7fefc690000", "filepath": "C:\\Windows\\system32\\pku2u.DLL" }, { "basename": "bcryptprimitives.dll", "imgsize": 311296, "baseaddr": "0x7fefc640000", "filepath": "C:\\Windows\\system32\\bcryptprimitives.dll" }, { "basename": "RpcRtRemote.dll", "imgsize": 81920, "baseaddr": "0x7fefd160000", "filepath": "C:\\Windows\\system32\\RpcRtRemote.dll" }, { "basename": "efslsaext.dll", "imgsize": 73728, "baseaddr": "0x7fefc620000", "filepath": "C:\\Windows\\system32\\efslsaext.dll" }, { "basename": "scecli.DLL", "imgsize": 253952, "baseaddr": "0x7fefc5c0000", "filepath": "C:\\Windows\\system32\\scecli.DLL" }, { "basename": "credssp.dll", "imgsize": 40960, "baseaddr": "0x7fefc600000", "filepath": "C:\\Windows\\system32\\credssp.dll" }, { "basename": "WINSTA.dll", "imgsize": 249856, "baseaddr": "0x7fefd120000", "filepath": "C:\\Windows\\system32\\WINSTA.dll" }, { "basename": "IPHLPAPI.DLL", "imgsize": 159744, "baseaddr": "0x7fefc440000", "filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL" }, { "basename": "WINNSI.DLL", "imgsize": 45056, "baseaddr": "0x7fefc430000", "filepath": "C:\\Windows\\system32\\WINNSI.DLL" }, { "basename": "netutils.dll", "imgsize": 49152, "baseaddr": "0x7fefafd0000", "filepath": "C:\\Windows\\system32\\netutils.dll" }, { "basename": "wkscli.dll", "imgsize": 86016, "baseaddr": "0x7fefafa0000", "filepath": "C:\\Windows\\system32\\wkscli.dll" }, { "basename": "USERENV.dll", "imgsize": 122880, "baseaddr": "0x7fefd250000", "filepath": "C:\\Windows\\system32\\USERENV.dll" }, { "basename": "profapi.dll", "imgsize": 61440, "baseaddr": "0x7fefd220000", "filepath": "C:\\Windows\\system32\\profapi.dll" }, { "basename": "wshtcpip.dll", "imgsize": 28672, "baseaddr": "0x7fefc300000", "filepath": "C:\\Windows\\System32\\wshtcpip.dll" }, { "basename": "dssenh.dll", "imgsize": 204800, "baseaddr": "0x7fef1c60000", "filepath": "C:\\Windows\\system32\\dssenh.dll" }, { "basename": "GPAPI.dll", "imgsize": 110592, "baseaddr": "0x7fefc4b0000", "filepath": "C:\\Windows\\system32\\GPAPI.dll" }, { "basename": "monitor-x64.dll", "imgsize": 2269184, "baseaddr": "0x6e6b0000", "filepath": "C:\\tmped72ov\\bin\\monitor-x64.dll" } ], "time": 0, "tid": 388, "first_seen": 1613475151.515625, "ppid": 396, "type": "process" }, { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "calls": [], "track": true, "pid": 2916, "process_name": "cmd.exe", "command_line": "\"C:\\Windows\\System32\\cmd.exe\" /c start /wait \"EOQNXBK\" C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg", "modules": [ { "basename": "cmd.exe", "imgsize": 311296, "baseaddr": "0x4a440000", "filepath": "C:\\Windows\\SysWOW64\\cmd.exe" }, { "basename": "ntdll.dll", "imgsize": 1572864, "baseaddr": "0x77700000", "filepath": "C:\\Windows\\SysWOW64\\ntdll.dll" }, { "basename": "kernel32.dll", "imgsize": 1114112, "baseaddr": "0x760f0000", "filepath": "C:\\Windows\\syswow64\\kernel32.dll" }, { "basename": "KERNELBASE.dll", "imgsize": 290816, "baseaddr": "0x75a80000", "filepath": "C:\\Windows\\syswow64\\KERNELBASE.dll" }, { "basename": "msvcrt.dll", "imgsize": 704512, "baseaddr": "0x77250000", "filepath": "C:\\Windows\\syswow64\\msvcrt.dll" }, { "basename": "WINBRAND.dll", "imgsize": 28672, "baseaddr": "0x73c40000", "filepath": "C:\\Windows\\System32\\WINBRAND.dll" }, { "basename": "USER32.dll", "imgsize": 1048576, "baseaddr": "0x752d0000", "filepath": "C:\\Windows\\syswow64\\USER32.dll" }, { "basename": "GDI32.dll", "imgsize": 589824, "baseaddr": "0x75db0000", "filepath": "C:\\Windows\\syswow64\\GDI32.dll" }, { "basename": "LPK.dll", "imgsize": 40960, "baseaddr": "0x76410000", "filepath": "C:\\Windows\\syswow64\\LPK.dll" }, { "basename": "USP10.dll", "imgsize": 643072, "baseaddr": "0x753d0000", "filepath": "C:\\Windows\\syswow64\\USP10.dll" }, { "basename": "ADVAPI32.dll", "imgsize": 659456, "baseaddr": "0x75cf0000", "filepath": "C:\\Windows\\syswow64\\ADVAPI32.dll" }, { "basename": "sechost.dll", "imgsize": 102400, "baseaddr": "0x75720000", "filepath": "C:\\Windows\\SysWOW64\\sechost.dll" }, { "basename": "RPCRT4.dll", "imgsize": 983040, "baseaddr": "0x751e0000", "filepath": "C:\\Windows\\syswow64\\RPCRT4.dll" }, { "basename": "SspiCli.dll", "imgsize": 393216, "baseaddr": "0x74fa0000", "filepath": "C:\\Windows\\syswow64\\SspiCli.dll" }, { "basename": "CRYPTBASE.dll", "imgsize": 49152, "baseaddr": "0x74f90000", "filepath": "C:\\Windows\\syswow64\\CRYPTBASE.dll" }, { "basename": "IMM32.DLL", "imgsize": 393216, "baseaddr": "0x75c90000", "filepath": "C:\\Windows\\system32\\IMM32.DLL" }, { "basename": "MSCTF.dll", "imgsize": 839680, "baseaddr": "0x759a0000", "filepath": "C:\\Windows\\syswow64\\MSCTF.dll" }, { "basename": "monitor-x86.dll", "imgsize": 2117632, "baseaddr": "0x6e4a0000", "filepath": "C:\\tmped72ov\\bin\\monitor-x86.dll" } ], "time": 0, "tid": 3908, "first_seen": 1613475151.765625, "ppid": 3848, "type": "process" }, { "process_path": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "calls": [ { "category": "synchronisation", "status": 1, "stacktrace": [], "api": "GetSystemTimeAsFileTime", "return_value": 0, "arguments": {}, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "LdrGetDllHandle", "return_value": 0, "arguments": { "module_name": "api-ms-win-core-synch-l1-2-0.dll", "stack_pivoted": 0, "module_address": "0x72cc0000" }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "LdrGetProcedureAddress", "return_value": 0, "arguments": { "ordinal": 0, "module": "api-ms-win-core-synch-l1-2-0", "module_address": "0x72cc0000", "function_address": "0x77738461", "function_name": "InitializeConditionVariable" }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "LdrGetProcedureAddress", "return_value": 0, "arguments": { "ordinal": 0, "module": "api-ms-win-core-synch-l1-2-0", "module_address": "0x72cc0000", "function_address": "0x761852b2", "function_name": "SleepConditionVariableCS" }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "LdrGetProcedureAddress", "return_value": 0, "arguments": { "ordinal": 0, "module": "api-ms-win-core-synch-l1-2-0", "module_address": "0x72cc0000", "function_address": "0x77763b17", "function_name": "WakeAllConditionVariable" }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "exception", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741515, "api": "SetUnhandledExceptionFilter", "return_value": 0, "arguments": {}, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2852, "region_size": 16384, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 4, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0260a000" }, "time": 1613475153.04675, "tid": 3548, "flags": { "protection": "PAGE_READWRITE", "allocation_type": "MEM_COMMIT" } }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2852, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 4, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0260e000" }, "time": 1613475153.04675, "tid": 3548, "flags": { "protection": "PAGE_READWRITE", "allocation_type": "MEM_COMMIT" } }, { "category": "__notification__", "status": 1, "stacktrace": [], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": [ "RtlpNtEnumerateSubKey+0x2a2c isupper-0x4e13 ntdll+0xcf761 @ 0x777cf761", "RtlpNtEnumerateSubKey+0x2b0c isupper-0x4d33 ntdll+0xcf841 @ 0x777cf841", "RtlpNtEnumerateSubKey+0x2d75 isupper-0x4aca ntdll+0xcfaaa @ 0x777cfaaa", "RtlUlonglongByteSwap+0xc68f RtlFreeOemString-0x15283 ntdll+0x8939f @ 0x7778939f", "RtlDecodeSystemPointer+0x5db RtlCompareUnicodeStrings-0x1f7 ntdll+0x3ad93 @ 0x7773ad93", "RtlDecodeSystemPointer+0x546 RtlCompareUnicodeStrings-0x28c ntdll+0x3acfe @ 0x7773acfe", "RtlQueryPerformanceCounter+0xadd RtlDeleteCriticalSection-0x92c ntdll+0x33441 @ 0x77733441", "LdrUnlockLoaderLock+0xf6a RtlInitUnicodeStringEx-0x1c0 ntdll+0x37f0c @ 0x77737f0c", "LdrUnlockLoaderLock+0x1af RtlInitUnicodeStringEx-0xf7b ntdll+0x37151 @ 0x77737151", "RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e172 @ 0x7772e172", "malloc+0x2b free-0x15 ucrtbase+0x2f7cb @ 0x6e3ef7cb", "_IsOutlookOutsideWinMain@0-0x8114f outlook+0x3005 @ 0x143005", "_IsOutlookOutsideWinMain@0-0x80f62 outlook+0x31f2 @ 0x1431f2", "_IsOutlookOutsideWinMain@0-0x80046 outlook+0x410e @ 0x14410e", "_IsOutlookOutsideWinMain@0-0x800f2 outlook+0x4062 @ 0x144062", "_IsOutlookOutsideWinMain@0-0x7cc79 outlook+0x74db @ 0x1474db", "_initterm+0x6d _rmtmp-0x63 ucrtbase+0x272cd @ 0x6e3e72cd", "_IsOutlookOutsideWinMain@0-0x83086 outlook+0x10ce @ 0x1410ce", "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x7610336a", "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x777398f2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x777398c5" ], "registers": { "esp": 35059896, "edi": 39903200, "eax": 35059912, "ebp": 35060016, "edx": 0, "ebx": 0, "esi": 39124992, "ecx": 2147483647 }, "exception": { "instruction_r": "eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff", "symbol": "RtlpNtEnumerateSubKey+0x1b26 isupper-0x5d19 ntdll+0xce85b", "instruction": "jmp 0x777ce86f", "module": "ntdll.dll", "exception_code": "0xc0000374", "offset": 845915, "address": "0x777ce85b" } }, "time": 1613475153.04675, "tid": 3548, "flags": {} }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtCreateSection", "return_value": 0, "arguments": { "section_handle": "0x00000168", "object_handle": "0x00000000", "desired_access": "0x000f0007", "protection": 4, "section_name": "", "file_handle": "0x00000000" }, "time": 1613475153.04675, "tid": 3548, "flags": { "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER" } }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtMapViewOfSection", "return_value": 0, "arguments": { "section_handle": "0x00000168", "process_identifier": 2852, "commit_size": 0, "win32_protect": 4, "buffer": "", "process_handle": "0xffffffff", "allocation_type": 0, "section_offset": 0, "view_size": 4096, "base_address": "0x01fd0000" }, "time": 1613475153.04675, "tid": 3548, "flags": { "win32_protect": "PAGE_READWRITE", "allocation_type": "" } }, { "category": "system", "status": 1, "stacktrace": [], "api": "NtClose", "return_value": 0, "arguments": { "handle": "0x0000016c" }, "time": 1613475154.59375, "tid": 3548, "flags": {} }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2852, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 4, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x01fe0000" }, "time": 1613475154.59375, "tid": 3548, "flags": { "protection": "PAGE_READWRITE", "allocation_type": "MEM_COMMIT" } }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtFreeVirtualMemory", "return_value": 0, "arguments": { "free_type": 32768, "process_identifier": 2852, "process_handle": "0xffffffff", "base_address": "0x01fe0000", "size": 4096 }, "time": 1613475154.62475, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "NtClose", "return_value": 0, "arguments": { "handle": "0x0000016c" }, "time": 1613475154.62475, "tid": 3548, "flags": {} }, { "category": "process", "status": 1, "stacktrace": [], "api": "NtUnmapViewOfSection", "return_value": 0, "arguments": { "process_identifier": 2852, "region_size": 4096, "process_handle": "0xffffffff", "base_address": "0x01fd0000" }, "time": 1613475154.65675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "NtClose", "return_value": 0, "arguments": { "handle": "0x00000168" }, "time": 1613475154.65675, "tid": 3548, "flags": {} }, { "category": "system", "status": 1, "stacktrace": [], "api": "NtClose", "return_value": 0, "arguments": { "handle": "0x00000170" }, "time": 1613475154.65675, "tid": 3548, "flags": {} }, { "category": "process", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741054, "api": "NtTerminateProcess", "return_value": 0, "arguments": { "status_code": "0xc0000374", "process_identifier": 2852, "process_handle": "0xffffffff" }, "time": 1613475155.31275, "tid": 3548, "flags": {} } ], "track": true, "pid": 2852, "process_name": "OUTLOOK.EXE", "command_line": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE\" /f \"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg\"", "modules": [ { "basename": "OUTLOOK.EXE", "imgsize": 30797824, "baseaddr": "0x140000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE" }, { "basename": "ntdll.dll", "imgsize": 1572864, "baseaddr": "0x77700000", "filepath": "C:\\Windows\\SysWOW64\\ntdll.dll" }, { "basename": "kernel32.dll", "imgsize": 1114112, "baseaddr": "0x760f0000", "filepath": "C:\\Windows\\syswow64\\kernel32.dll" }, { "basename": "KERNELBASE.dll", "imgsize": 290816, "baseaddr": "0x75a80000", "filepath": "C:\\Windows\\syswow64\\KERNELBASE.dll" }, { "basename": "AppVIsvSubsystems32.dll", "imgsize": 2007040, "baseaddr": "0x72aa0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\AppVIsvSubsystems32.dll" }, { "basename": "c2r32.dll", "imgsize": 2039808, "baseaddr": "0x71e00000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\c2r32.dll" }, { "basename": "OLEAUT32.dll", "imgsize": 593920, "baseaddr": "0x76450000", "filepath": "C:\\Windows\\syswow64\\OLEAUT32.dll" }, { "basename": "ole32.dll", "imgsize": 1429504, "baseaddr": "0x75760000", "filepath": "C:\\Windows\\syswow64\\ole32.dll" }, { "basename": "msvcrt.dll", "imgsize": 704512, "baseaddr": "0x77250000", "filepath": "C:\\Windows\\syswow64\\msvcrt.dll" }, { "basename": "GDI32.dll", "imgsize": 589824, "baseaddr": "0x75db0000", "filepath": "C:\\Windows\\syswow64\\GDI32.dll" }, { "basename": "USER32.dll", "imgsize": 1048576, "baseaddr": "0x752d0000", "filepath": "C:\\Windows\\syswow64\\USER32.dll" }, { "basename": "ADVAPI32.dll", "imgsize": 659456, "baseaddr": "0x75cf0000", "filepath": "C:\\Windows\\syswow64\\ADVAPI32.dll" }, { "basename": "sechost.dll", "imgsize": 102400, "baseaddr": "0x75720000", "filepath": "C:\\Windows\\SysWOW64\\sechost.dll" }, { "basename": "RPCRT4.dll", "imgsize": 983040, "baseaddr": "0x751e0000", "filepath": "C:\\Windows\\syswow64\\RPCRT4.dll" }, { "basename": "SspiCli.dll", "imgsize": 393216, "baseaddr": "0x74fa0000", "filepath": "C:\\Windows\\syswow64\\SspiCli.dll" }, { "basename": "CRYPTBASE.dll", "imgsize": 49152, "baseaddr": "0x74f90000", "filepath": "C:\\Windows\\syswow64\\CRYPTBASE.dll" }, { "basename": "LPK.dll", "imgsize": 40960, "baseaddr": "0x76410000", "filepath": "C:\\Windows\\syswow64\\LPK.dll" }, { "basename": "USP10.dll", "imgsize": 643072, "baseaddr": "0x753d0000", "filepath": "C:\\Windows\\syswow64\\USP10.dll" }, { "basename": "SHELL32.dll", "imgsize": 12894208, "baseaddr": "0x76550000", "filepath": "C:\\Windows\\syswow64\\SHELL32.dll" }, { "basename": "SHLWAPI.dll", "imgsize": 356352, "baseaddr": "0x764f0000", "filepath": "C:\\Windows\\syswow64\\SHLWAPI.dll" }, { "basename": "USERENV.dll", "imgsize": 94208, "baseaddr": "0x76420000", "filepath": "C:\\Windows\\syswow64\\USERENV.dll" }, { "basename": "profapi.dll", "imgsize": 45056, "baseaddr": "0x75a70000", "filepath": "C:\\Windows\\syswow64\\profapi.dll" }, { "basename": "NETAPI32.dll", "imgsize": 69632, "baseaddr": "0x72e40000", "filepath": "C:\\Windows\\system32\\NETAPI32.dll" }, { "basename": "netutils.dll", "imgsize": 36864, "baseaddr": "0x73950000", "filepath": "C:\\Windows\\system32\\netutils.dll" }, { "basename": "srvcli.dll", "imgsize": 102400, "baseaddr": "0x72de0000", "filepath": "C:\\Windows\\system32\\srvcli.dll" }, { "basename": "wkscli.dll", "imgsize": 61440, "baseaddr": "0x730c0000", "filepath": "C:\\Windows\\system32\\wkscli.dll" }, { "basename": "wevtapi.dll", "imgsize": 270336, "baseaddr": "0x72eb0000", "filepath": "C:\\Windows\\system32\\wevtapi.dll" }, { "basename": "OutlookServicing.dll", "imgsize": 118784, "baseaddr": "0x72e90000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OutlookServicing.dll" }, { "basename": "VCRUNTIME140.dll", "imgsize": 77824, "baseaddr": "0x72e70000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\VCRUNTIME140.dll" }, { "basename": "api-ms-win-crt-runtime-l1-1-0.dll", "imgsize": 16384, "baseaddr": "0x72e60000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll" }, { "basename": "ucrtbase.DLL", "imgsize": 901120, "baseaddr": "0x6e3c0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\ucrtbase.DLL" }, { "basename": "api-ms-win-core-timezone-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x738e0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-timezone-l1-1-0.dll" }, { "basename": "api-ms-win-core-file-l2-1-0.dll", "imgsize": 12288, "baseaddr": "0x72e30000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-file-l2-1-0.dll" }, { "basename": "api-ms-win-core-localization-l1-2-0.dll", "imgsize": 12288, "baseaddr": "0x72cd0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-localization-l1-2-0.dll" }, { "basename": "api-ms-win-core-synch-l1-2-0.dll", "imgsize": 12288, "baseaddr": "0x72cc0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-synch-l1-2-0.dll" }, { "basename": "api-ms-win-core-processthreads-l1-1-1.dll", "imgsize": 12288, "baseaddr": "0x72cb0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-processthreads-l1-1-1.dll" }, { "basename": "api-ms-win-core-file-l1-2-0.dll", "imgsize": 12288, "baseaddr": "0x72ca0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-file-l1-2-0.dll" }, { "basename": "api-ms-win-crt-heap-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x72a90000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-heap-l1-1-0.dll" }, { "basename": "api-ms-win-crt-string-l1-1-0.dll", "imgsize": 16384, "baseaddr": "0x72a80000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-string-l1-1-0.dll" }, { "basename": "api-ms-win-crt-stdio-l1-1-0.dll", "imgsize": 16384, "baseaddr": "0x72a70000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll" }, { "basename": "api-ms-win-crt-convert-l1-1-0.dll", "imgsize": 16384, "baseaddr": "0x72a60000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-convert-l1-1-0.dll" }, { "basename": "MSVCP140.dll", "imgsize": 454656, "baseaddr": "0x729f0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\MSVCP140.dll" }, { "basename": "api-ms-win-crt-locale-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x729e0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-locale-l1-1-0.dll" }, { "basename": "api-ms-win-crt-math-l1-1-0.dll", "imgsize": 20480, "baseaddr": "0x729d0000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-math-l1-1-0.dll" }, { "basename": "api-ms-win-crt-filesystem-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x72860000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll" }, { "basename": "api-ms-win-crt-time-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x72850000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-time-l1-1-0.dll" }, { "basename": "api-ms-win-crt-environment-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x72840000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-environment-l1-1-0.dll" }, { "basename": "api-ms-win-crt-utility-l1-1-0.dll", "imgsize": 12288, "baseaddr": "0x72830000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-utility-l1-1-0.dll" }, { "basename": "IPHLPAPI.DLL", "imgsize": 114688, "baseaddr": "0x728d0000", "filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL" }, { "basename": "NSI.dll", "imgsize": 24576, "baseaddr": "0x75470000", "filepath": "C:\\Windows\\syswow64\\NSI.dll" }, { "basename": "WINNSI.DLL", "imgsize": 28672, "baseaddr": "0x72c90000", "filepath": "C:\\Windows\\system32\\WINNSI.DLL" }, { "basename": "api-ms-win-crt-multibyte-l1-1-0.dll", "imgsize": 20480, "baseaddr": "0x72820000", "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll" }, { "basename": "gdiplus.dll", "imgsize": 1642496, "baseaddr": "0x73330000", "filepath": "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\\gdiplus.dll" }, { "basename": "RstrtMgr.DLL", "imgsize": 163840, "baseaddr": "0x728a0000", "filepath": "C:\\Windows\\system32\\RstrtMgr.DLL" }, { "basename": "ncrypt.dll", "imgsize": 233472, "baseaddr": "0x71d90000", "filepath": "C:\\Windows\\system32\\ncrypt.dll" }, { "basename": "bcrypt.dll", "imgsize": 94208, "baseaddr": "0x730a0000", "filepath": "C:\\Windows\\system32\\bcrypt.dll" }, { "basename": "MSASN1.dll", "imgsize": 49152, "baseaddr": "0x771e0000", "filepath": "C:\\Windows\\syswow64\\MSASN1.dll" }, { "basename": "IMM32.DLL", "imgsize": 393216, "baseaddr": "0x75c90000", "filepath": "C:\\Windows\\system32\\IMM32.DLL" }, { "basename": "MSCTF.dll", "imgsize": 839680, "baseaddr": "0x759a0000", "filepath": "C:\\Windows\\syswow64\\MSCTF.dll" }, { "basename": "monitor-x86.dll", "imgsize": 2117632, "baseaddr": "0x6e4a0000", "filepath": "C:\\tmped72ov\\bin\\monitor-x86.dll" } ], "time": 0, "tid": 3548, "first_seen": 1613475152.96875, "ppid": 2916, "type": "process" } ], "processtree": [ { "track": false, "pid": 504, "process_name": "lsass.exe", "command_line": "C:\\Windows\\system32\\lsass.exe", "first_seen": 1613475151.515625, "ppid": 396, "children": [] }, { "track": true, "pid": 2916, "process_name": "cmd.exe", "command_line": "\"C:\\Windows\\System32\\cmd.exe\" /c start /wait \"EOQNXBK\" C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg", "first_seen": 1613475151.765625, "ppid": 3848, "children": [ { "track": true, "pid": 2852, "process_name": "OUTLOOK.EXE", "command_line": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE\" /f \"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg\"", "first_seen": 1613475152.96875, "ppid": 2916, "children": [] } ] } ] }, "debug": { "action": [ "gatherer" ], "dbgview": [], "errors": [ "Unable to stop auxiliary module: Sniffer\nTraceback (most recent call last):\n File \"/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py\", line 164, in stop\n module.stop()\n File \"/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py\", line 156, in stop\n (out, err, faq(\"permission-denied-for-tcpdump\"))\nCuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?" ], "log": [ "2021-02-16 11:32:31,000 [analyzer] DEBUG: Starting analyzer from: C:\\tmped72ov\n", "2021-02-16 11:32:31,015 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\wgvEwrMJxeaYcOVZaoGwrbURjTFYhv\n", "2021-02-16 11:32:31,015 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\oPNYCSiawcQxbkzJiNOybODszVH\n", "2021-02-16 11:32:31,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.\n", "2021-02-16 11:32:31,015 [analyzer] INFO: Automatically selected analysis package \"generic\"\n", "2021-02-16 11:32:31,217 [analyzer] DEBUG: Started auxiliary module DbgView\n", "2021-02-16 11:32:31,421 [analyzer] DEBUG: Started auxiliary module Disguise\n", "2021-02-16 11:32:31,578 [analyzer] DEBUG: Loaded monitor into process with pid 504\n", "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n", "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module Human\n", "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n", "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module Reboot\n", "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module RecentFiles\n", "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module Screenshots\n", "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n", "2021-02-16 11:32:31,671 [lib.api.process] INFO: Successfully executed process from path 'C:\\\\Windows\\\\System32\\\\cmd.exe' with arguments ['/c', 'start', '/wait', '\"EOQNXBK\"', u'C:\\\\Users\\\\mes-vms\\\\AppData\\\\Local\\\\Temp\\\\test.msg'] and pid 2916\n", "2021-02-16 11:32:31,858 [analyzer] DEBUG: Loaded monitor into process with pid 2916\n", "2021-02-16 11:32:32,171 [analyzer] INFO: Injected into process with pid 2852 and name u'\\uc7d0\\u026c'\n", "2021-02-16 11:32:32,842 [lib.api.process] INFO: Memory dump of process with pid 2852 completed\n", "2021-02-16 11:32:33,046 [analyzer] DEBUG: Loaded monitor into process with pid 2852\n", "2021-02-16 11:32:35,312 [lib.api.process] INFO: Memory dump of process with pid 2852 completed\n", "2021-02-16 11:32:35,328 [lib.api.process] WARNING: The process with pid 2916 is not alive, memory dump aborted\n", "2021-02-16 11:32:35,687 [analyzer] INFO: Process with pid 2916 has terminated\n", "2021-02-16 11:32:36,687 [analyzer] INFO: Process with pid 2852 has terminated\n", "2021-02-16 11:32:36,687 [analyzer] INFO: Process list is empty, terminating analysis.\n", "2021-02-16 11:32:37,687 [analyzer] INFO: Analysis completed.\n" ], "cuckoo": [ "2021-02-16 11:32:31,540 [cuckoo.core.scheduler] INFO: Task #5: acquired machine cuckoo1 (label=win7cuckoo)\n", "2021-02-16 11:32:31,540 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #5\n", "2021-02-16 11:32:31,541 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n", "2021-02-16 11:32:31,551 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 19829 (interface=vboxnet0, host=192.168.56.101)\n", "2021-02-16 11:32:31,552 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n", "2021-02-16 11:32:31,569 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7cuckoo\n", "2021-02-16 11:32:31,683 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7cuckoo to cuckoo-ready6\n", "2021-02-16 11:32:38,530 [cuckoo.core.guest] INFO: Starting analysis #5 on guest (id=cuckoo1, ip=192.168.56.101)\n", "2021-02-16 11:32:39,540 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n", "2021-02-16 11:32:40,543 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n", "2021-02-16 11:32:41,546 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n", "2021-02-16 11:32:41,612 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n", "2021-02-16 11:32:42,625 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101)\n", "2021-02-16 11:32:42,657 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3894261)\n", "2021-02-16 11:32:42,985 [cuckoo.core.resultserver] DEBUG: Task #5: live log analysis.log initialized.\n", "2021-02-16 11:32:43,500 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n", "2021-02-16 11:32:43,750 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n", "2021-02-16 11:32:44,759 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'memory/2852-1.dmp'\n", "2021-02-16 11:32:44,759 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0001.jpg'\n", "2021-02-16 11:32:44,762 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 60906\n", "2021-02-16 11:32:44,835 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 34079512\n", "2021-02-16 11:32:44,952 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n", "2021-02-16 11:32:45,867 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0002.jpg'\n", "2021-02-16 11:32:45,871 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 60609\n", "2021-02-16 11:32:47,139 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'memory/2852-2.dmp'\n", "2021-02-16 11:32:47,289 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 78095000\n", "2021-02-16 11:32:47,885 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #5 still processing\n", "2021-02-16 11:32:48,004 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0003.jpg'\n", "2021-02-16 11:32:48,006 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 50920\n", "2021-02-16 11:32:49,902 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully\n", "2021-02-16 11:32:49,909 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay\n", "2021-02-16 11:32:49,910 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer\n", "Traceback (most recent call last):\n", " File \"/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py\", line 164, in stop\n", " module.stop()\n", " File \"/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py\", line 156, in stop\n", " (out, err, faq(\"permission-denied-for-tcpdump\"))\n", "CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?\n", "2021-02-16 11:32:52,148 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7cuckoo to path /home/jean/.cuckoo/storage/analyses/5/memory.dmp\n", "2021-02-16 11:32:52,152 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7cuckoo\n", "202" ] }, "screenshots": [ { "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0001.jpg", "ocr": "" }, { "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0002.jpg", "ocr": "" }, { "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0003.jpg", "ocr": "" } ], "strings": [ "test00292@outlook.fr", "LZFuiq", "rcpg125", "Chtml1", "64\u001fz!G", "tps://", "google.", "st{HYPE", "RLINK %", "9_?:o;", "https://google.fr", "multipart/alternative; boundary=\"000000000000f3441005b82466dd\"; charset=\"utf-8\"", "00000003", "test00292@o", "test00292@outlook.fr", "00000003", "test00292@o", "test00292@outlook.fr", "test00292@outlook.fr", "", "jeanjestin@gmail.com", "SMTP:JEANJESTIN@GMAIL.COM", "jean jestin", "test00292@outlook.fr", "test00292@outlook.fr", "Received: from AM7EUR06HT038.eop-eur06.prod.protection.outlook.com", " (2603:10a6:208:17c::12) by AM0PR04MB5777.eurprd04.prod.outlook.com with HTTPS", " via AM0PR10CA0002.EURPRD10.PROD.OUTLOOK.COM; Tue, 5 Jan 2021 10:09:30 +0000", "Received: from AM7EUR06FT042.eop-eur06.prod.protection.outlook.com", " (2a01:111:e400:fc36::45) by", " AM7EUR06HT038.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::335)", " with Microsoft SMTP Server (version=TLS1_2,", " cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.20; Tue, 5 Jan", " 2021 10:09:30 +0000", "Authentication-Results: spf=pass (sender IP is 209.85.161.54)", " smtp.mailfrom=gmail.com; outlook.fr; dkim=pass (signature was verified)", " header.d=gmail.com;outlook.fr; dmarc=pass action=none", " header.from=gmail.com;compauth=pass reason=100", "Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates", " 209.85.161.54 as permitted sender) receiver=protection.outlook.com;", " client-ip=209.85.161.54; helo=mail-oo1-f54.google.com;", "Received: from mail-oo1-f54.google.com (209.85.161.54) by", " AM7EUR06FT042.mail.protection.outlook.com (10.233.255.77) with Microsoft SMTP", " Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id", " 15.20.3721.20 via Frontend Transport; Tue, 5 Jan 2021 10:09:30 +0000", "X-IncomingTopHeaderMarker:", " OriginalChecksum:9E1B40C9E576E27DF70DA26D3F677E8CAEFBBE011CAF4BCDEBB9DF5109053767;UpperCasedChecksum:698A730C8DBC01D9C2C903FEAC863B9005C80700FE95F2E57BD1F84F80AECC23;SizeAsReceived:2069;Count:13", "Received: by mail-oo1-f54.google.com with SMTP id i18so6949389ooh.5", " for ; Tue, 05 Jan 2021 02:09:30 -0800 (PST)", "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;", " d=gmail.com; s=20161025;", " h=mime-version:from:date:message-id:subject:to;", " bh=egi3rmVw1Zt8Q9h8gOFwTYvN/MWXhtmBJUUCE8JMZa4=;", " b=lboKHEIiNRkdgCabcrBlvrb8A1d+C78bQsJF6vlopRFyOLhRM/2A90gA5gWvIBrcBR", " rc+PkV+NBtQ+RBBg5xgXv/z83/I3TWSdNGKEUL3bKbaHYFb1PiVVtN3u5T1jrijRzYUR", " mOZw3kGdsN9PRoYOfg7K2sNOUROuT9tVXti05I3Hh7ulylIisBNCOPDl0QlkTKdd+VIf", " C9jSI03RvT9Dt0E23RXyx6iIqVROtmjcOwEHVI3XkEG4PrBansSH6lRMezv4SFfNGem8", " TLrt1WFjpKoHM1F3FuGFGoZLycmJlNLWp/t5ZPhSTjTCfvIXvmAegaqj02lh6VOXkgiC", " xwHA==", "X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;", " d=1e100.net; s=20161025;", " h=x-gm-message-state:mime-version:from:date:message-id:subject:to;", " bh=egi3rmVw1Zt8Q9h8gOFwTYvN/MWXhtmBJUUCE8JMZa4=;", " b=uNiQpiRze+g8kikQtu2qTFswyA3cAFTJ8nIySjbGGeQ3meYmF5NFddXcagQZjCuVny", " RBFC0+JsQYm11Yxu1QZNfMwsBuua1eTRSK6ZRmuUS3zlDWu8QcWkM+aoJ8yLkd09r1gb", " TZkPC94xZf3Y/H0i+ttr6zTN6MZ2BH7EDMsHjI4NzGnQl+LYi20VjJBBBuhjl5ng9uYI", " t/tVVSZGYsTc3XYerLcNQ+AUQuJVufKiWPiim3jCnat53t+shD+oJRnI6aoNaHf1bvyf", " p8Vq4Y0OPuX3fAK0ESarA692TWH81S6k4WdJMIaxSShdEcNvBGxnEECZzsAE37aYJunB", " eqpg==", "X-Gm-Message-State: AOAM5329qrWQ4MER5zxkoFGqtYPFHLqE/9g0kI01nXhwb/sPxEY14wJk", "cZLV1FZEG8meRWVOoksuLuyrvHQVn9f3l12z4Kpe78OYgyk=", "X-Google-Smtp-Source: ABdhPJxFLfLAnPfiVmGsjJGH4Dbt9Y3IUMcLD+lSu7sD9J0SNTHpjMg20MRxRrRZ1FTsb5Jz7Q74obF+nEUahFIfCU8=", "X-Received: by 2002:a4a:2256:: with SMTP id z22mr52115990ooe.62.1609841369104;", " Tue, 05 Jan 2021 02:09:29 -0800 (PST)", "From: jean jestin ", "Date: Tue, 5 Jan 2021 10:09:18 +0100", "Message-ID: ", "Subject: test", "To: test00292@outlook.fr", "Content-Type: multipart/alternative; boundary=\"000000000000f3441005b82466dd\"", "X-IncomingHeaderCount: 13", "Return-Path: jeanjestin@gmail.com", "X-MS-Exchange-Organization-ExpirationStartTime: 05 Jan 2021 10:09:30.2559", " (UTC)", "X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit", "X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000", "X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit", "X-MS-Exchange-Organization-Network-Message-Id:", " bd61560a-2c0c-4855-b77c-08d8b161fde5", "X-EOPAttributedMessage: 0", "X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0", "X-MS-Exchange-Organization-MessageDirectionality: Incoming", "X-MS-PublicTrafficType: Email", "X-MS-Exchange-Organization-AuthSource:", " AM7EUR06FT042.eop-eur06.prod.protection.outlook.com", "X-MS-Exchange-Organization-AuthAs: Anonymous", "X-MS-UserLastLogonTime: 1/5/2021 10:09:24 AM", "X-MS-Office365-Filtering-Correlation-Id: bd61560a-2c0c-4855-b77c-08d8b161fde5", "X-MS-TrafficTypeDiagnostic: AM7EUR06HT038:", "X-MS-Exchange-EOPDirect: true", "X-Sender-IP: 209.85.161.54", "X-SID-PRA: JEANJESTIN@GMAIL.COM", "X-SID-Result: PASS", "X-MS-Exchange-Organization-PCL: 2", "X-MS-Exchange-Organization-SCL: 0", "X-Microsoft-Antispam: BCL:0;", "X-OriginatorOrg: outlook.com", "X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2021 10:09:30.2379", " (UTC)", "X-MS-Exchange-CrossTenant-Network-Message-Id: bd61560a-2c0c-4855-b77c-08d8b161fde5", "X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa", "X-MS-Exchange-CrossTenant-AuthSource:", " AM7EUR06FT042.eop-eur06.prod.protection.outlook.com", "X-MS-Exchange-CrossTenant-AuthAs: Anonymous", "X-MS-Exchange-CrossTenant-FromEntityHeader: Internet", "X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:", " 00000000-0000-0000-0000-000000000000", "X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7EUR06HT038", "X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2839927", "X-MS-Exchange-Processed-By-BccFoldering: 15.20.3721.024", "X-Microsoft-Antispam-Mailbox-Delivery:", "abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000282)(90000117)(90005022)(91005020)(90014020)(91030020)(91040095)(9000001)(9010001)(9050020)(9100272)(5061607266)(5061608174)(4900115)(98392012)(98393011)(4920090)(6515079)(4950131)(4990090);", "X-Message-Info:", "5vMbyqxGkderUG8NjABdPpLes3RkFKWntvpQA06tGLDJgwMWwy6H7rVZv7BCPUJ6SUbPjWEDDC74wrSoCHA+DurUy+k91nquYb7aP9KA6oCNxZtpL2GHobDBswqic8/mhD0sh4+Ee9Rpt/BAZMXj3O0bfFYNWBMjcE3Cz8i1SK2ENfsr4mws+ew16kqJp/DZ8G7VdyD/m62FrCGJlKisBQ==", "X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0z", "X-Microsoft-Antispam-Message-Info:", "=?utf-8?B?dHBYNGN4UHp4RGxnSWVoWk0xakRmcnlvTi93YitKRTVDbW5JbFJLNjFuODZs?=", " =?utf-8?B?U09lN0h1UUgyWWZZR2dzSzRDRndKSDJUZTZ3UmRLNHNCK3pUTGJDYnRpM2hp?=", " =?utf-8?B?TGoxNzdEWng4dGFBVlFKcy9qRDFNM0xpU2diVHRqd1VkWFc3Tlh6dzliVkFK?=", " =?utf-8?B?ZHd1a3RyZGNLTW9hdFBPdjBxYkdtNlJSSGtaM0RhZXJKOTZwSjFFV3dJbnZy?=", " =?utf-8?B?U0M1elhweEp3V3lkU2JnSDU2Y2hMa20zN1JXWldSSXpBWUZBVms5dmFZd1ZJ?=", " =?utf-8?B?VXVRdFVZR3JIMDR1TEFNU2NYS1I5ZjA3Nk44QXE3dnVUVFhjNkV0NGRpcEN5?=", " =?utf-8?B?YVhOb1U3bG55UEkxQ2s2bnpOOUR4NnQyaVdtbGRlNitFbHNlb2xUcnl4UmtW?=", " =?utf-8?B?ODAxdU5JcmxFOEltK1p0bjNTSUlWVmh4eXdYaVc1b3V3MDVBTmMvcjJKaWpq?=", " =?utf-8?B?NGc0bjFKdjZWcFA1UWhLVy9xRTRyZjdaSzZsaVZMNXBRZHFkUnlUcmY0MXlE?=", " =?utf-8?B?Rlc5T3hDcDFZL1FlUUcwU0I3ZlZMNjMxUE01d2s3ekdKYXptWmdneUJGL2dx?=", " =?utf-8?B?bkxHL24xN1lBUVdJUnNKbytvSm5hNjRwM0dpL0FGOU5jcU5tR3ZJQ1BuSEtQ?=", " =?utf-8?B?NG5uZGVrWkdxelRucG1USTVQTUx5K05CZUcrMzdMUFdyajRycVVsUlEvY3Nk?=", " =?utf-8?B?YS81c0llWmEzNjIzM1B5cVFFQnNGSVBQSm9tTjJYUGQzTmIxUjVMZFJsTmYz?=", " =?utf-8?B?MUMvMWNLR1NmelpsRkprajY0d29ZNEVKeVdxYy9LODROL1VQVWhsMk5oUUJL?=", " =?utf-8?B?cUJzQnNyQ0l6VjRaYWFxN21zb3o1NlY1YzFlZitYVzBNOU5vYjhTWDd4NWJX?=", " =?utf-8?B?ZFVCNkRGbm1Bek5XWDN2RGVGNEtZN3pKdVhKb3YrS3ExaEE1YWw2V3M0bEkx?=", " =?utf-8?B?eG4vN1RlUzRJYjFxNDJKSTIwRnhzTjkwVGpzeXEvNjFYVUsvTjNpZ1AvL2Fv?=", " =?utf-8?B?dHJEanJWSUdETW9OcW1aVkJMVlg3d29WOU9MdDhCQ0xUbTZ4WlhRcGlHMUt3?=", " =?utf-8?B?WnJ2TFd0bkZVL3JFT1B4N3cxcGJDK1dhZjNKcy9WRk40NHArZTZ0UjdHZGVU?=", " =?utf-8?B?YjUxSVJXMjl6WENGSzVqUGlnRW5UN3pXL05rR0lnOG1haTJyZ3lTcHR5U1dl?=", " =?utf-8?B?V0hpWTVnQXNkRmlmY2ZhV2F5c0liK2JVRCtiakMxaElHYlN6ckt0VG5qNURi?=", " =?utf-8?B?dWRCMWdnM1NxM1NGQTNvRytLQndUS2NpRDkzTW1pVGJNL251eW5iQy8wc1dh?=", " =?utf-8?Q?eENjgXOBwZXfOXmScXsRC4Vv9NuCg+0Ws+?=", "MIME-Version: 1.0", "jeanjestin@gmail.com", "SMTP:TEST00292@OUTLOOK.FR", "SMTP:TEST00292@OUTLOOK.FR", "test00292@outlook.fr", "jean jestin", "test00292@outlook.fr", "SMTP:JEANJESTIN@GMAIL.COM", "IPM.Note", "SMTP:TEST00292@OUTLOOK.FR", "test00292@outlook.fr", "test00292@outlook.fr", "Root Entry", "__properties_version1.0", "__nameid_version1.0", "__substg1.0_0E04001E", "Root Entry", "__properties_version1.0", "__nameid_version1.0", "__substg1.0_0E04001E", "__substg1.0_0E03001E", "__substg1.0_0E02001E", "__recip_version1.0_#00000000", "__substg1.0_001A001E", "__substg1.0_0037001E", "__substg1.0_003B0102", "__substg1.0_003F0102", "__substg1.0_0040001E", "__substg1.0_00410102", "__substg1.0_0042001E", "__substg1.0_00430102", "__substg1.0_0044001E", "__substg1.0_00510102", "__substg1.0_00520102", "__substg1.0_0064001E", "__substg1.0_0065001E", "__substg1.0_0070001E", "__substg1.0_00710102", "__substg1.0_0075001E", "__substg1.0_0076001E", "__substg1.0_0077001E", "__substg1.0_0078001E", "__substg1.0_007D001E", "__substg1.0_0C190102", "__substg1.0_0C1A001E", "__substg1.0_0C1D0102", "__substg1.0_0C1E001E", "__substg1.0_0C1F001E", "__substg1.0_1035001E", "__substg1.0_300B0102", "__substg1.0_3FFA001E", "__substg1.0_680D001E", "__substg1.0_680E001E", "__substg1.0_8000001E", "__substg1.0_8001001E", "__substg1.0_8003001E", "__substg1.0_80040102", "__substg1.0_003D001E", "__substg1.0_1000001E", "__substg1.0_10090102", "__substg1.0_65E20102", "__substg1.0_65E30102", "__substg1.0_0E1D001E", "__properties_version1.0", "jean jestin", "jeanjestin@gmail.com", "test00292@outlook.fr", "test00292@outlook.fr", "jean jestin", "jeanjestin@gmail.com", "test00292@outlook.fr", "test00292@outlook.fr", "__substg1.0_0FFF0102", "__substg1.0_3001001E", "__substg1.0_3002001E", "__substg1.0_3003001E", "__substg1.0_300B0102", "__substg1.0_0FF60102", "__substg1.0_00020102", "__substg1.0_00030102", "__substg1.0_00040102", "__substg1.0_10140102", "__substg1.0_10150102", "__substg1.0_10020102", "__substg1.0_10090102", "__substg1.0_10060102", "test00292@outlook.fr", "test00292@outlook.fr", "content-type4", "InTransitMessageCorrelator" ], "metadata": { "output": { "memdumps": [ { "basename": "2852-1.dmp", "sha256": "bfa55c3b937932d1b161d73e88926fa4862958fac3a850d62e014494bedc7dfb", "dirname": "memory" }, { "basename": "2852-2.dmp", "sha256": "6621b5efe4316eeef39e343eb58b5305b30e99b3b8ef11d59f3ec88c4c89e456", "dirname": "memory" } ] } } }