Veritas
F004LOWBenign / FPvalidator: passed

OUTLOOK.EXE RWX injected region

Memory injection in OUTLOOK.EXE

Analyst narrative

OUTLOOK.EXE PID 8128 contains two PAGE_EXECUTE_READWRITE VadS regions, indicating injected code into a user-facing Office process. Candidate cand-0003/cand-0004 fact_ids=memory_injection_fact-0000000,0000001.

Claims asserted

pid-vol_malfindvol_netscanvol_psscanvol_pstree
user_account-vol_cmdlinevol_handlesvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

handle facthandle:pid:8128:key:machine\software\microsoft\windows nt\currentversion\image file execution options
vol_handles
Raw tool output · 779e319f37863757e17371c9dbe309d88dee09e6
{"GrantedAccess": 9, "HandleValue": 4, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS", "Offset": 229276785808656, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Key", "TreeDepth": 0}
handle facthandle:pid:8128:event:12
vol_handles
Raw tool output · 38526282c7db014ed4899fc2ec1f0c2d8caf6ed5
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518727244448, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:16
vol_handles
Raw tool output · aa7bf7f91d5b4a25667d1cc80909da7f52343b9b
{"GrantedAccess": 1, "HandleValue": 16, "Name": null, "Offset": 154518757223216, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:iocompletion:20
vol_handles
Raw tool output · 3250a96cbb349339276e19726d69b71b600d8309
{"GrantedAccess": 2031619, "HandleValue": 20, "Name": null, "Offset": 154518773856448, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:8128:tpworkerfactory:24
vol_handles
Raw tool output · 3eecdf3e8adfb9712e8f301e8c749bde687a2baa
{"GrantedAccess": 983295, "HandleValue": 24, "Name": null, "Offset": 154518769237600, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:8128:irtimer:28
vol_handles
Raw tool output · 91b6ba38dbc89224b03e2eac82de42de5e2bab49
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518761301824, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:32
vol_handles
Raw tool output · 93721c5e617e3578d1403948b5d54efe4b613eda
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518771803680, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:irtimer:36
vol_handles
Raw tool output · 51072ef41a5b5624de943164a5558c8231af367e
{"GrantedAccess": 1048578, "HandleValue": 36, "Name": null, "Offset": 154518686005888, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:40
vol_handles
Raw tool output · 5a348df84eade32cd2f63eb473a58d175742f6eb
{"GrantedAccess": 1, "HandleValue": 40, "Name": null, "Offset": 154518771803472, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:44
vol_handles
Raw tool output · 7679e54aa10db24a0ec4daf790e8a9ff514ea673
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518769225408, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:48
vol_handles
Raw tool output · a1a970f49c68832980434fa31b01c11f1342b55d
{"GrantedAccess": 2052, "HandleValue": 48, "Name": null, "Offset": 154518769225184, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:52
vol_handles
Raw tool output · 29c91cdeabea52e93165d86ae6031b58ca1a7f46
{"GrantedAccess": 2052, "HandleValue": 52, "Name": null, "Offset": 154518769224960, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:directory:knowndlls
vol_handles
Raw tool output · fb767d244dc0619847495fe65934a62fd5a5be2e
{"GrantedAccess": 3, "HandleValue": 56, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:8128:event:60
vol_handles
Raw tool output · cde889af877919bfb3246149a86a5602d145015f
{"GrantedAccess": 2031619, "HandleValue": 60, "Name": null, "Offset": 154518772745216, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:event:64
vol_handles
Raw tool output · 2c317bc5d30f04e15dedcf49c8406f445dd839cb
{"GrantedAccess": 2031619, "HandleValue": 64, "Name": null, "Offset": 154518723985952, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:file:\device\harddiskvolume2\windows
vol_handles
Raw tool output · 5cdf6ca4ba90ac9fcfdd561ccbebed26dacedf39
{"GrantedAccess": 1048608, "HandleValue": 68, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518727387760, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "File", "TreeDepth": 0}
handle facthandle:pid:8128:directory:knowndlls32
vol_handles
Raw tool output · fd95e188318aedd23824c8cd5e335150756e88a6
{"GrantedAccess": 3, "HandleValue": 72, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Directory", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:76
vol_handles
Raw tool output · adf8764f6499a1af5ba7065e20480088f890a4cc
{"GrantedAccess": 2052, "HandleValue": 76, "Name": null, "Offset": 154518753153136, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:event:80
vol_handles
Raw tool output · a26f7477e176e8e9b4d3936f0459f6b2f2007120
{"GrantedAccess": 2031619, "HandleValue": 80, "Name": null, "Offset": 154518720443456, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:84
vol_handles
Raw tool output · e3f137db065656daebcbe8c7a02a5dacd8892f6e
{"GrantedAccess": 1, "HandleValue": 84, "Name": null, "Offset": 154518773895664, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:iocompletion:88
vol_handles
Raw tool output · 1d0f719f54149cbf05dafb6af8c919f36e6c62cf
{"GrantedAccess": 2031619, "HandleValue": 88, "Name": null, "Offset": 154518771767360, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:8128:tpworkerfactory:92
vol_handles
Raw tool output · d14341a777ef212dc11c6bcb0e3cd7063c7b7729
{"GrantedAccess": 983295, "HandleValue": 92, "Name": null, "Offset": 154518769316912, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:8128:irtimer:96
vol_handles
Raw tool output · da2d34f9e67c35351a903c6e3e0be3300a3065e4
{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518715777120, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:100
vol_handles
Raw tool output · a374adbed5a374014581141a9d751d74eed2c391
{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518769225616, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:irtimer:104
vol_handles
Raw tool output · ef19956361b448b25975b4687fc32b3d566349a4
{"GrantedAccess": 1048578, "HandleValue": 104, "Name": null, "Offset": 154518761301552, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IRTimer", "TreeDepth": 0}
handle facthandle:pid:8128:waitcompletionpacket:108
vol_handles
Raw tool output · feae996af11beab8b947b58fbf0d322dd6820d19
{"GrantedAccess": 1, "HandleValue": 108, "Name": null, "Offset": 154518771767152, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "WaitCompletionPacket", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:112
vol_handles
Raw tool output · 25f6ad1735b40a6d5b7c1d51020c6988607e9e19
{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518771766944, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:116
vol_handles
Raw tool output · d9cb5b7c86e1385498da2819043c7ffa67fc1eb8
{"GrantedAccess": 2052, "HandleValue": 116, "Name": null, "Offset": 154518771766720, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:120
vol_handles
Raw tool output · 28cb421ddd606adbba32b8292c19807d2e61a495
{"GrantedAccess": 2052, "HandleValue": 120, "Name": null, "Offset": 154518773874576, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:event:128
vol_handles
Raw tool output · 2c167833a8ac34b3ac64772c64309d20e13d7642
{"GrantedAccess": 2031619, "HandleValue": 128, "Name": null, "Offset": 154518768996320, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:event:132
vol_handles
Raw tool output · d46df2910231242446dc60bb08fc357f2af5e5a9
{"GrantedAccess": 2031619, "HandleValue": 132, "Name": null, "Offset": 154518717143200, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Event", "TreeDepth": 0}
handle facthandle:pid:8128:semaphore:136
vol_handles
Raw tool output · 3d1c2acd742723de841d1a81726e2aa9c51e20eb
{"GrantedAccess": 2031619, "HandleValue": 136, "Name": null, "Offset": 154518720988176, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "Semaphore", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:140
vol_handles
Raw tool output · 5da0ae8fca7ba66b69eade0f97501508c4e76980
{"GrantedAccess": 2052, "HandleValue": 140, "Name": null, "Offset": 154518773872592, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:144
vol_handles
Raw tool output · 7b11776383df31e84571e4d530eedb11f845016d
{"GrantedAccess": 2052, "HandleValue": 144, "Name": null, "Offset": 154518757942912, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:alpc port:148
vol_handles
Raw tool output · 9d994e1466f751f22331afa358943c20ec963e1c
{"GrantedAccess": 2031617, "HandleValue": 148, "Name": null, "Offset": 154518771787200, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "ALPC Port", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:152
vol_handles
Raw tool output · 4335ce2c6e9c0b2b6d6874755e09caff530aa065
{"GrantedAccess": 2052, "HandleValue": 152, "Name": null, "Offset": 154518773906544, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:156
vol_handles
Raw tool output · 75b35cb953cc8dee725642c0f4bcf4189e578b10
{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518774029152, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:160
vol_handles
Raw tool output · fed3e89f0a53674032aad865140ff39af31a9510
{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518774027872, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:164
vol_handles
Raw tool output · 224879c6f4b71e479ec22f910b1cf7b7f60847a0
{"GrantedAccess": 2052, "HandleValue": 164, "Name": null, "Offset": 154518774027648, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:168
vol_handles
Raw tool output · 24cd7199037fea7122fb19053bd4b679aeb98ea7
{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518774027424, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:etwregistration:172
vol_handles
Raw tool output · 56f31886225dd63bef932c70cf81129aaeeacd71
{"GrantedAccess": 2052, "HandleValue": 172, "Name": null, "Offset": 154518773946368, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "EtwRegistration", "TreeDepth": 0}
handle facthandle:pid:8128:tpworkerfactory:176
vol_handles
Raw tool output · 4f66117a9bee1316868494b877eb663a2b48ca63
{"GrantedAccess": 983295, "HandleValue": 176, "Name": null, "Offset": 154518771914240, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "TpWorkerFactory", "TreeDepth": 0}
handle facthandle:pid:8128:iocompletion:180
vol_handles
Raw tool output · 86d006da97fc9ae402363336134121c18761912e
{"GrantedAccess": 2031619, "HandleValue": 180, "Name": null, "Offset": 154518773974976, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IoCompletion", "TreeDepth": 0}
handle facthandle:pid:8128:irtimer:184
vol_handles
Raw tool output · ff2a00d5cfae9b861c845d59daba699fe6571edd
{"GrantedAccess": 1048578, "HandleValue": 184, "Name": null, "Offset": 154518768994768, "PID": 8128, "Process": "OUTLOOK.EXE", "Type": "IRTimer", "TreeDepth": 0}
memory injection factpid:8128
vol_malfind
Raw tool output · b12c91dc54e1f0a5705fb212cc1f28052c9a6402
{"CommitCharge": 16, "Disasm": "\"64 74 72 52 00 00 00 00 18 03 3a 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\"", "End VPN": 909836287, "File output": "Disabled", "Hexdump": "64 74 72 52 00 00 00 00 18 03 3a 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00", "Notes": null, "PID": 8128, "PrivateMemory": 1, "Process": "OUTLOOK.EXE", "Protection": "PAGE_EXECUTE_READWRITE", "
memory injection factpid:8128
vol_malfind
Raw tool output · 1684e32855c946cb2a751a80131df5e246e9a756
{"CommitCharge": 16, "Disasm": "\"64 74 72 52 00 00 00 00 60 18 2f 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\"", "End VPN": 1865416703, "File output": "Disabled", "Hexdump": "64 74 72 52 00 00 00 00 60 18 2f 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00", "Notes": null, "PID": 8128, "PrivateMemory": 1, "Process": "OUTLOOK.EXE", "Protection": "PAGE_EXECUTE_READWRITE",
network connection factpid:8128
vol_netscan
Raw tool output · d5b9774e42f7df1370f80eb74e56766aab8ac3c4
{"Created": "2018-08-30T13:54:28+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "127.0.0.1", "LocalPort": 63646, "Offset": 154518792444720, "Owner": "OUTLOOK.EXE", "PID": 8128, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
process factpid:8128
vol_psscan
Raw tool output · 99bac71fccd8584d33fd9d7b4b71a9e8bde716fa
{"CreateTime": "2018-08-30T13:54:05+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "OUTLOOK.EXE", "Offset(V)": 154518757187712, "PID": 8128, "PPID": 5988, "SessionId": 1, "Threads": 57, "Wow64": true, "TreeDepth": 0}
process relationship factpid:8128->pid:5988
vol_psscanvol_pstree
Raw tool output · e886d9c954da7bce10ba02614f70d0e038e38122
{"CreateTime": "2018-08-30T13:54:05+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "OUTLOOK.EXE", "Offset(V)": 154518757187712, "PID": 8128, "PPID": 5988, "SessionId": 1, "Threads": 57, "Wow64": true, "TreeDepth": 0}
psxview factpsxview:pid:8128
vol_psxview
Raw tool output · 0c826e60433a0f1ba70152d0d06d1e6e3368423c
{"Exit Time": "", "Name": "OUTLOOK.EXE", "Offset(Virtual)": 154518757187712, "PID": 8128, "csrss": true, "pslist": true, "psscan": true, "thrdscan": true, "TreeDepth": 0}

Source tools

vol_cmdlinevol_handlesvol_malfindvol_netscanvol_psscanvol_pstree