Veritas
F003MEDIUMInconclusivevalidator: passed

UpdaterUI.exe process with RWX memory region

UpdaterUI.exe

Analyst narrative

UpdaterUI.exe (PID 6036) spawned from runonce.exe contains PAGE_EXECUTE_READWRITE memory region, indicating possible code injection.

Claims asserted

pid-vol_malfindvol_pstreevol_psscan
user_account-vol_cmdlinevol_handlesvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

handle facthandle:pid:6036:event:4
vol_handles
Raw tool output · 1f97e4ed50f80c4fe6fb9799050b8f2823c7ace1
{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518719421152, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:8
vol_handles
Raw tool output · 77fa21fa87d6e0142e1116235951f420be39c3f0
{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518754783552, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:iocompletion:12
vol_handles
Raw tool output · 6a922db6fcc343483db054af234020cc30200844
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518723777472, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:6036:tpworkerfactory:16
vol_handles
Raw tool output · 13c59eaecef77f067257c5e2734b04ba36a69764
{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518715904768, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:20
vol_handles
Raw tool output · 3c5a88a8b13044b004071fe3a91056b2670c5b7a
{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518753809024, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:24
vol_handles
Raw tool output · c8886ddf2c2420eb6cee1c8c8302056d1c59f16b
{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518774055808, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:28
vol_handles
Raw tool output · a70a0d6c78ee8e4d76a8103b002208d4748f9624
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518719726560, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:32
vol_handles
Raw tool output · 543745abfbd35aac7e9b799f7de1b18875ea18b3
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518774114000, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:36
vol_handles
Raw tool output · 2af0b983b0b3a40c4b5b5aef3fe9635421d0b118
{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518720213360, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:40
vol_handles
Raw tool output · d2d55f5194bbc6f8f480499dd25f5a4d8ca59188
{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518720213584, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:44
vol_handles
Raw tool output · d77fbe50ad248a2fec6cd1c25a0c78ce490dcee5
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518720213808, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:directory:knowndlls
vol_handles
Raw tool output · fb85e6a2333aa3a3c2f49a96e95c0f88830fc8ff
{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:6036:event:52
vol_handles
Raw tool output · 469959d59d469cd6b80157e0aff8f470e4a2aa23
{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518715038224, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:6036:file:\device\harddiskvolume2\windows
vol_handles
Raw tool output · 869f8d44738a0c5e25d7e8fb6fb9da9376b415ae
{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518775020736, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:6036:key:machine\system\controlset001\control\nls\sorting\versions
vol_handles
Raw tool output · 78e738e67f8994c7417d315908dc933b2d6e7e96
{"GrantedAccess": 131097, "HandleValue": 64, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276778015136, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:6036:key:machine\system\controlset001\control\session manager
vol_handles
Raw tool output · 9ae519a493287d05fbb483f420edbfe1f6eeb596
{"GrantedAccess": 1, "HandleValue": 68, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276907111312, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:6036:directory:knowndlls32
vol_handles
Raw tool output · 8a8101ff48d4430831c052aa3fc7e9e02124183f
{"GrantedAccess": 3, "HandleValue": 72, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:6036:event:76
vol_handles
Raw tool output · 149a05f90f4e1ee035e3e32f00a723771bdafb57
{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518774239936, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:80
vol_handles
Raw tool output · cb74507edce5eeed1ed8973a6bb0e0add654f76e
{"GrantedAccess": 1, "HandleValue": 80, "Name": null, "Offset": 154518774226208, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:iocompletion:84
vol_handles
Raw tool output · 6899d6e957950bda645662316a43059ae40493f3
{"GrantedAccess": 2031619, "HandleValue": 84, "Name": null, "Offset": 154518715518656, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:6036:tpworkerfactory:88
vol_handles
Raw tool output · 94c80c86c1954940d4b10d06b64f4475fff5a018
{"GrantedAccess": 983295, "HandleValue": 88, "Name": null, "Offset": 154518675494176, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:92
vol_handles
Raw tool output · 8e7abd51e6f9aa46b121c287fcbdc17cf94d419b
{"GrantedAccess": 1048578, "HandleValue": 92, "Name": null, "Offset": 154518724163856, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:96
vol_handles
Raw tool output · f57e6981206b4fbb515945042164baf0d4d3d030
{"GrantedAccess": 1, "HandleValue": 96, "Name": null, "Offset": 154518773956336, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:100
vol_handles
Raw tool output · e3599308e9489044713bbb9e9347ca8e3635af9d
{"GrantedAccess": 1048578, "HandleValue": 100, "Name": null, "Offset": 154518752595792, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:104
vol_handles
Raw tool output · 15fc30959972717e51cb57f6d91e226daf65222e
{"GrantedAccess": 1, "HandleValue": 104, "Name": null, "Offset": 154518753565920, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:108
vol_handles
Raw tool output · c03369115412612123cdc946bb14bce1270a7eda
{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518753158976, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:112
vol_handles
Raw tool output · 73ec1dbff0ac949cac67294d86c8911957b9b69f
{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518753196592, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:116
vol_handles
Raw tool output · ff509cf039c925352b5a05d2049c71b2541bec01
{"GrantedAccess": 2052, "HandleValue": 116, "Name": null, "Offset": 154518753795744, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:event:124
vol_handles
Raw tool output · acca0fcf03c01c0bc141b71c763f230208a3777c
{"GrantedAccess": 2031619, "HandleValue": 124, "Name": null, "Offset": 154518720982208, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:6036:event:128
vol_handles
Raw tool output · 625395ff617bd1404c56054d1667c849c36c02db
{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518678226688, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:6036:file:\device\harddiskvolume2\windows\syswow64
vol_handles
Raw tool output · 0afbcd71cb9caeadc3e7f6d9a4f450b34b286312
{"GrantedAccess": 1048608, "HandleValue": 132, "Name": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64", "Offset": 154518775027648, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:136
vol_handles
Raw tool output · 2983c19ba0493cefce0ed55e958f08c0aa6710c8
{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518753464688, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:140
vol_handles
Raw tool output · 48193b0b27a031016b33f43754beae5484390931
{"GrantedAccess": 2052, "HandleValue": 140, "Name": null, "Offset": 154518753554320, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:alpc port:144
vol_handles
Raw tool output · 0fffdda64af7dc94a3ae9da2291eec5ec664ef87
{"GrantedAccess": 2031617, "HandleValue": 144, "Name": null, "Offset": 154518775045216, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "ALPC Port", "TreeDepth": 0}
handle facthandle:pid:6036:iocompletion:148
vol_handles
Raw tool output · 089bcee5626b3e7b18e749284acd61794e626b0d
{"GrantedAccess": 2031619, "HandleValue": 148, "Name": null, "Offset": 154518753554112, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:6036:tpworkerfactory:152
vol_handles
Raw tool output · a0b3385f02c2ab472da617861ff6d13e08e51e50
{"GrantedAccess": 983295, "HandleValue": 152, "Name": null, "Offset": 154518715507024, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:156
vol_handles
Raw tool output · 8746122185b07b1ebec62c5025118284f7dc2a62
{"GrantedAccess": 1048578, "HandleValue": 156, "Name": null, "Offset": 154518769128848, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:160
vol_handles
Raw tool output · 10f2f43df14525837dd4ae6c8b4da475c6caa8b0
{"GrantedAccess": 1, "HandleValue": 160, "Name": null, "Offset": 154518774226832, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:irtimer:164
vol_handles
Raw tool output · 4666d15f1a682bcd8a8de55dd60712962bb6274f
{"GrantedAccess": 1048578, "HandleValue": 164, "Name": null, "Offset": 154518774015792, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:6036:waitcompletionpacket:168
vol_handles
Raw tool output · 7cc414d9ef94b6c3bea19526aba2ece5f1bd3e22
{"GrantedAccess": 1, "HandleValue": 168, "Name": null, "Offset": 154518716381376, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:6036:file:\device\harddiskvolume2\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.547_none_d02733
vol_handles
Raw tool output · 8b8046a19c8e40fea07babc2cafd6b42c5e47b08
{"GrantedAccess": 1048608, "HandleValue": 172, "Name": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.547_none_d027336f5f36dc9a", "Offset": 154518757880288, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:6036:semaphore:176
vol_handles
Raw tool output · 243837cfc15714d017d2628e6be4c6088167dacf
{"GrantedAccess": 1048579, "HandleValue": 176, "Name": null, "Offset": 154518753559424, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Semaphore", "TreeDepth": 0}
handle facthandle:pid:6036:semaphore:180
vol_handles
Raw tool output · c8f7220c26d66034cfe644be7c76f231570507df
{"GrantedAccess": 1048579, "HandleValue": 180, "Name": null, "Offset": 154518715276336, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Semaphore", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:184
vol_handles
Raw tool output · 9a430b0a500dd436147b9625b49f8755a3153eac
{"GrantedAccess": 2052, "HandleValue": 184, "Name": null, "Offset": 154518775065936, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:etwregistration:188
vol_handles
Raw tool output · 8d0e4266fd783aacb5ea017ba9da2f551218f5c4
{"GrantedAccess": 2052, "HandleValue": 188, "Name": null, "Offset": 154518752925760, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:6036:key:machine\system\controlset001\control\nls\customlocale
vol_handles
Raw tool output · 726902277a7ca868f6b89366c6d9bf688f1750a7
{"GrantedAccess": 1, "HandleValue": 192, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", "Offset": 229276780412240, "PID": 6036, "Process": "UpdaterUI.exe", "Type": "Key", "TreeDepth": 0}
memory injection factpid:6036
vol_malfind
Raw tool output · c7babf485a419972efd1340626531044d8a26c80
{"CommitCharge": 1, "Disasm": "\"00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00 10 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00 20 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00\"", "End VPN": 84348927, "File output": "Disabled", "Hexdump": "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00 10 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00 20 00 07 05 00 00 00 00 00 00 00 00 00 00 00 00", "Notes": null, "PID": 6036, "PrivateMemory": 1, "Process": "UpdaterUI.exe", "Protection": "PAGE_EXECUTE_READWRITE", "
process factpid:6036
vol_psscan
Raw tool output · 3cdf1c721838a912c5c958a01295cfdd794c8ef3
{"CreateTime": "2018-08-30T13:54:06+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "UpdaterUI.exe", "Offset(V)": 154518721101952, "PID": 6036, "PPID": 7944, "SessionId": 1, "Threads": 6, "Wow64": true, "TreeDepth": 0}
process relationship factpid:2284->pid:6036
vol_psscanvol_pstree
Raw tool output · c337522108252143d44a88194600059327cd195b
{"CreateTime": "2018-08-30T13:54:11+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "mctray.exe", "Offset(V)": 154518720282752, "PID": 2284, "PPID": 6036, "SessionId": 1, "Threads": 26, "Wow64": true, "TreeDepth": 0}
process relationship factpid:6036->pid:7944
vol_psscanvol_pstree
Raw tool output · edded00e65374ff6a8838cd9b553a0dddfa45b19
{"CreateTime": "2018-08-30T13:54:06+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "UpdaterUI.exe", "Offset(V)": 154518721101952, "PID": 6036, "PPID": 7944, "SessionId": 1, "Threads": 6, "Wow64": true, "TreeDepth": 0}

Source tools

vol_cmdlinevol_handlesvol_malfindvol_psscanvol_pstree